Possible bug with OAUTH authorization response URL encoding

GordonB89
Regular Participant

Possible bug with OAUTH authorization response URL encoding

The state parameter returned by Constant Contact in the authorization response is not properly URL encoded, causing a mismatch comparing the state parameter.

 

An authorization request set to

xhttps://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?client_id=abc&redirect_uri=https%3A%2F%2Fexample.com%2Fpage&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&response_type=code

 

eventually ends up redirected to

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG+hEug==&username=user%40example.com

 

That value is then decoded (since it's a query string parameter after all) as

QHu8qRq9JX7wTzQmG hEug==

causing a state mismatch error.

 

The expected redirect URI is

xhttps://example.com/page?code=xyz&state=QHu8qRq9JX7wTzQmG%2BhEug%3D%3D&username=user%40example.com

 

Note: I added an "x" to the start of the URLs because the forum keeps converting them into clickable URLs and truncating the display text.

3 REPLIES 3
Shannon_W
Employee

Thank you for letting us know about this.  We are looking into it.

 

Best Regards,

Shannon W.

API Support Specialist

GordonB89
Regular Participant

Is there an update or estimated timeline for a fix for this?

At this time, we do not have any update on a potential fix for this.  We are planning on looking at this soon, however we are in the last stages of releasing the new version of our API and have not had time to look into this issue while finishing up that work. 

 

We apologize for any inconvenience this may be causing you.  As soon as we are able to, we will work on reproducing this and getting a fix out for any issues we find during our investigation.

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page