The state parameter returned by Constant Contact in the authorization response is not properly URL encoded, causing a mismatch comparing the state parameter.
An authorization request set to
eventually ends up redirected to
That value is then decoded (since it's a query string parameter after all) as
causing a state mismatch error.
The expected redirect URI is
Note: I added an "x" to the start of the URLs because the forum keeps converting them into clickable URLs and truncating the display text.
At this time, we do not have any update on a potential fix for this. We are planning on looking at this soon, however we are in the last stages of releasing the new version of our API and have not had time to look into this issue while finishing up that work.
We apologize for any inconvenience this may be causing you. As soon as we are able to, we will work on reproducing this and getting a fix out for any issues we find during our investigation.