refreshing access_tokens using js

SOLVED
Go to solution
JackM860
Rookie
0 Votes

Hello,

 

I'm trying to create a js function using fetch to refresh my access_token but it doesn't work. Every time I get the below error:

 

Access to fetch at 'https://idfed.constantcontact.com/as/token.oauth2' from origin 'myUrl' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

 

I'm guessing this works on the backend only??

 

Please advise!

 

Thanks,

 

1 ACCEPTED SOLUTION
Caleb_A
Employee
0 Votes

Hello Jack,

 

My name is Caleb and I am a member of Constant Contact's API Developer Support.

 

You are correct, the OAuth Server flow that you are currently utilizing does not allow requests that come from browser or client-based applications. These types of applications leave their source code open to the public which when using the OAuth Server flow would result in your client secret being exposed.

 

Due to this, the server flow endpoint rejects any requests from these applications and returns the CORS Policy error that you have provided. In order for your application to function you will need to use the OAuth Client Flow which does not allow an access token to be refreshed and instead will have the user re-authorize the application with their account after the token has expired.

 

OAuth 2.0 Client Flow:
https://developer.constantcontact.com/api_guide/client_flow.html

 

Alternatively, you could have a server-sided application make the authentication requests using the OAuth Server flow which could then pass the authorization token to your client-sided application to be used in making the requests.

 

We also wanted to notate that we are looking into other authentication flows which would provide the same level of security as the current system, but would also allow for the tokens to be refreshed by the client side flow.


Regards,

Caleb A.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

View solution in original post

2 REPLIES 2
Caleb_A
Employee
0 Votes

Hello Jack,

 

My name is Caleb and I am a member of Constant Contact's API Developer Support.

 

You are correct, the OAuth Server flow that you are currently utilizing does not allow requests that come from browser or client-based applications. These types of applications leave their source code open to the public which when using the OAuth Server flow would result in your client secret being exposed.

 

Due to this, the server flow endpoint rejects any requests from these applications and returns the CORS Policy error that you have provided. In order for your application to function you will need to use the OAuth Client Flow which does not allow an access token to be refreshed and instead will have the user re-authorize the application with their account after the token has expired.

 

OAuth 2.0 Client Flow:
https://developer.constantcontact.com/api_guide/client_flow.html

 

Alternatively, you could have a server-sided application make the authentication requests using the OAuth Server flow which could then pass the authorization token to your client-sided application to be used in making the requests.

 

We also wanted to notate that we are looking into other authentication flows which would provide the same level of security as the current system, but would also allow for the tokens to be refreshed by the client side flow.


Regards,

Caleb A.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
JackM860
Rookie
0 Votes

Hello Caleb,

 

Thanks a lot for your wide explanation it clarified all my doubts. Indeed, it will be really useful to could implement this feature on the client-side to avoid uneeded server-requests. I'll stay tuned for your further updates.

 

Thanks and regards,

Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up