cancel
Showing results for 
Search instead for 
Did you mean: 

Possible bug with OAUTH authorization response URL encoding

Occasional Contributor

Possible bug with OAUTH authorization response URL encoding

The state parameter returned by Constant Contact in the authorization response is not properly URL encoded, causing a mismatch comparing the state parameter.

 

An authorization request set to

xhttps://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?client_id=abc&redirect_uri=https%3A%2F%2Fexample.com%2Fpage&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&response_type=code

 

eventually ends up redirected to

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG+hEug==&username=user%40example.com

 

That value is then decoded (since it's a query string parameter after all) as

QHu8qRq9JX7wTzQmG hEug==

causing a state mismatch error.

 

The expected redirect URI is

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&username=user%40example.com

 

Note: I added an "x" to the start of the URLs because the forum keeps converting them into clickable URLs and truncating the display text.

3 REPLIES 3
CTCT Employee

Re: Possible bug with OAUTH authorization response URL encoding

Thank you for letting us know about this.  We are looking into it.

 

Best Regards,

Shannon W.

API Support Specialist

Occasional Contributor

Re: Possible bug with OAUTH authorization response URL encoding

Is there an update or estimated timeline for a fix for this?

Moderator

Re: Possible bug with OAUTH authorization response URL encoding

At this time, we do not have any update on a potential fix for this.  We are planning on looking at this soon, however we are in the last stages of releasing the new version of our API and have not had time to look into this issue while finishing up that work. 

 

We apologize for any inconvenience this may be causing you.  As soon as we are able to, we will work on reproducing this and getting a fix out for any issues we find during our investigation.

Dave Berard
Senior Product Manager, Constant Contact