The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

Possible bug with OAUTH authorization response URL encoding

Highlighted
Occasional Contributor

Possible bug with OAUTH authorization response URL encoding

The state parameter returned by Constant Contact in the authorization response is not properly URL encoded, causing a mismatch comparing the state parameter.

 

An authorization request set to

xhttps://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?client_id=abc&redirect_uri=https%3A%2F%2Fexample.com%2Fpage&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&response_type=code

 

eventually ends up redirected to

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG+hEug==&username=user%40example.com

 

That value is then decoded (since it's a query string parameter after all) as

QHu8qRq9JX7wTzQmG hEug==

causing a state mismatch error.

 

The expected redirect URI is

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&username=user%40example.com

 

Note: I added an "x" to the start of the URLs because the forum keeps converting them into clickable URLs and truncating the display text.

3 REPLIES 3
Highlighted
Employee

Re: Possible bug with OAUTH authorization response URL encoding

Thank you for letting us know about this.  We are looking into it.

 

Best Regards,

Shannon W.

API Support Specialist

Highlighted
Occasional Contributor

Re: Possible bug with OAUTH authorization response URL encoding

Is there an update or estimated timeline for a fix for this?

Highlighted
Moderator

Re: Possible bug with OAUTH authorization response URL encoding

At this time, we do not have any update on a potential fix for this.  We are planning on looking at this soon, however we are in the last stages of releasing the new version of our API and have not had time to look into this issue while finishing up that work. 

 

We apologize for any inconvenience this may be causing you.  As soon as we are able to, we will work on reproducing this and getting a fix out for any issues we find during our investigation.

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More
Featured