403 Forbidden using cURL for access token request


403 Forbidden using cURL for access token request

I'm using this PHP wrapper code for access token request:
$apiKey = "";
$consumerSecret = "";
$redirectURI = "";
$code = $_REQUEST['code'];
$username = $_REQUEST['username'];
//We will use PHP cURL to make a request to Constant Contact to get the Access Token.
$rqurl = "https://oauth2.constantcontact.com/oauth2/oauth/token?grant_type=authorization_code&client_id=$apiKey&client_secret=$consumerSecret&code=$code&redirect_uri=$redirectURI";
$rq = curl_init();
curl_setopt($rq, CURLOPT_URL, $rqurl);
curl_setopt($rq, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rq, CURLOPT_BINARYTRANSFER, 1);
curl_setopt($rq, CURLOPT_HEADER, 0);
curl_setopt($rq, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($rq, CURLOPT_POST, 1); 
$result = curl_exec($rq);
...after hard-coding the individual url parameters and testing, I get a 403 Forbidden when printing $result.  However, when I do a <form> post instead with the same url for action=, I get the expected token.json. 
I've also tried:  curl_setopt($rq, CURLOPT_CUSTOMREQUEST, "POST");
For cURL:  Do I need to configure the headers?  Or set a session attribute for $rq?
Is cURL's post inherently missing something that a <form> post satisfies?

Without seeing the response for why you're receiving the 403, you should be able to get that from the response body for the cURL request, it's hard to trouble shoot this effectively.  The most common issue is that there is an encoding failure in something in the URL.  This can often times happen in the redirect_uri parameter.  If you've already checked these values, can you reply with the details of the 403 error you're receiving?


On another note, we do offer a fully functional PHP implementation of OAuth 2.0 with our PHP wrapper library.  We highly recommend using that as it can save you a lot of time in serializing payloads, implementing OAuth and other detail pieces that can consume lots of time.   Let us know if there is something missing or a reason why you decided not to use that, we'd be very interested to understand how we can make it better.  You can find our PHP wrapper here: https://github.com/constantcontact/php-sdk

Dave Berard
Senior Product Manager, Constant Contact

Thanks for the reply.  Yes, the 403 response after my cURL access token request is: 


You don't have permission to access /oauth2/oauth/siteowner/authorize on this server.



Developer Portal

View API documentation, code samples, get your API key.

Visit Page