cancel
Showing results for 
Search instead for 
Did you mean: 
Tomorrow morning (8/26) from 07:00 AM - 08:00 AM ET we need to make a few updates to our site. During this time, no emails will be sent and some customers will not be able to access their contacts. We recommend finishing up your work before 07:00 AM and logging in after 08:00 AM ET. Thank you for your patience while we make these updates.

OAuth2 and plugins

Occasional Participant

OAuth2 and plugins

 

I am creating a WordPress plugin for a client  to talk to CtCt and it occurs to me that I might want to release it for general use. One thing that I'm wondering about has to do with the OAuth "redirect URL' parameter, which apparently has to be set in the developer's 'application' definition. In other words, if 20 different web sites wanted to use the plugin, they all have to pass the exact same redirect URL in order to get an access token - so clearly they can't request redirect back to themselves.

 

Am I correct in assuming that in order to create a plugin for CtCt customers to be able to use with just their account credentials, without having to become CtCt developers themselves, I would have to also create, on some web site that *I* own, a service to field the redirects and forward them to the actual sites that need them?

 

That might well be a deal breaker for a general-use plugin, free or otherwise.

 

-jim

 

 

7 REPLIES 7
Moderator

Re: OAuth2 and plugins

That's a great assessment of the situation.  You're completely right, the way it is implemented today you would need to have a centralized server to handle the redirection traffic to the correct WordPress site. 

 

Having our dev team look over the (now in final stages) RFC for OAuth 2.0 to make sure we are following the latest version.  If we can update to support this and it passes our security teams review, we'll definitely look at finding a solution for this.  We certainly want to have great open source plugins for apps like WordPress and want to help support the developer ecosystems around these platforms. 

 

Will hopefully have at least a directional update on this soon.

Dave Berard
Senior Product Manager, Constant Contact
Moderator

Re: OAuth2 and plugins

So our dev team looked into this.  Unfortunately, our comparison is required by the OAuth 2.0 spec, see section 3.1.2 for clarification: http://tools.ietf.org/html/rfc6749#section-3.1.2

 

However, I'm sure that this problem can't be unique to Constant Contact and there must be a solution for this.  Otherwise, Facebook, Google and other OAuth providers would have issues with WordPress plugins and we know that isn't the case.  We're going to do some research to see how this is solved by other companies and if it's something we can use on our side for this problem.

Dave Berard
Senior Product Manager, Constant Contact
Occasional Participant

Re: OAuth2 and plugins

 

Let's just say I'm dubious as to the security inherent in all of this.

 

I mean, if I set my application's "redirect url" to a page on a site of my own that consists solely of this:

 

<?php
if (isset($_GET['dest_url']))
{
    $url =  base64_decode($_GET['dest_url']) . '?' . $_SERVER['QUERY_STRING'];   
    header('Location: ' . $url); 
}
exit();
?>

 

and in the plugin use that url, but add an encoded "dest_url" parameter pointing to the site the plugin is part of, the whole thing just works - for installations on any site.

 

It kinda makes me feel that by doing that I've somehow subverted OAuth - but if it can be done that simply what value was there really in the fixed redirect URL in the first place?

 

Am I making any sense?

-jim

Moderator

Re: OAuth2 and plugins

In the scenario you described, the security works as intended from the spec, which is that it reduces the likelihood of a man in the middle attack and a few other common attack vectors by guaranteeing the destination is pre-configured and can't be hijacked or changed.

 

In the scenario you described, that security messure is still in place.  The request was processed and sent to the intended recipient who, once receiving it through the predefined endpoint, can then do whatever they need to with the response. 

 

Definitely understand what you're saying and we are still persuing alternatives to see if there are other options.  So far, our research has yielded many sites with the exact same implementation and limitations as us.  We haven't found any major company who has any different implementation.  Will update if we have anything further to share.

Dave Berard
Senior Product Manager, Constant Contact
Occasional Participant

Re: OAuth2 and plugins

 

Thanks Dave.

 

You know, just thinking off the cuff:

 

Would it be possible/practical for CtCt to, as part of the application definition process (when a developer names his app and initially sets the redirect endpoint and all that), to offer a CtCt-hosted redirection endpoint that acts pretty muich as I described?

 

So, for instance, instead of entering a fixed redirect URL of my own, I would have the option of clicking a checkbox that would cause the form to display something like:

 

http://applications.contantcontact.com/<some app-unique id>/auth_endpoint.php

 

with the instruction that I would need to append to the query a "?dest_uri=<encoded actual URI>" parameter.

 

Like I said - just a thought.

 

-jim

 

 

 

Occasional Participant

Re: OAuth2 and plugins

 

Request Body:

{
"entry": {

"updated": "2008-04-16",
"content": {
"-type": "application/vnd.ctct+xml",
"ContactList": {
"-xmlns": "http://ws.constantcontact.com/ns/1.0/",
"OptInDefault": "false",
"Name": "A New List",
"SortOrder": "99"
}
}
}
}

 

 

 

[{
   
"error_key":"json.field.invalid",
   
"error_message":"#/entry: Property was found but is not permitted at this location."
},{
   
"error_key":"json.field.missing",
   
"error_message":"#/name: Property is required but not found."
},{
   
"error_key":"json.field.missing",
   
"error_message":"#/status: Property is required but not found."
}]
Honored Contributor

Re: OAuth2 and plugins

Hello,

 

You can find the information about the JSON format for creating lists in our developer documentation located here: http://developer.constantcontact.com/docs/contact-list-api/contactlist-collection.html?method=POST

 

Best Regards

Elijah G.
API Support Engineer