The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

Get Access Token manually vs OAuth 2.0?

Highlighted
Occasional Advisor

Get Access Token manually vs OAuth 2.0?

Rather than implementing an OAuth 2.0 flow for getting an access token, can I simply have my customers go to this constructed url?

 

 

'https://api.constantcontact.com/mashery/account/' + my_api_key

 

 

This is the link I'm taken to when clicking Get Access Token inside the Mashery portal. It prompts me to log into my account and then gives me an access token. This is far sufficient for my customer's needs too; however, when I go to this address manually (ie, paste full url into address bar), I get the error below:

 

2015-08-27_17-45-59.png

 

If anyone has some insight here, I'd really appreciate it. Thank you!

 

Damon

Tags (2)
7 REPLIES 7
Highlighted
Honored Contributor

Re: Get Access Token manually vs OAuth 2.0?

Hello,

 

After looking into this a bit, what you're seeing is very intentional, as this flow for generating access tokens is specifically designed to only be accessed from the Mashery portal for security reasons.

 

In addition to the reason above, it is highly preferable to implement OAuth 2 rather than asking users to manually generate access tokens, as that often results in them getting confused and contacting my team (the API support group here at Constant Contact) for help getting up and running. This process can be difficult for the customers as we're trying to help them with products and tools that we've often never had any hands-on time with. 

 

If there is any way that we can be of assistance in helping you to move forward, please let us know!

 

Sincerely,

Elijah G.
API Support Engineer
Highlighted
Occasional Advisor

Re: Get Access Token manually vs OAuth 2.0?

Hi Elijah,


Thanks for looking into that and the insight.

Do you have a simple, PHP example that demonstrates the OAuth 2 process (in particular, getting an access token) with your API? My software is a Wordpress plugin and I'm trying to support as many autoresponders as possible for my customers. I can integrate easily with other companies (GetResponse, MailChimp, etc) using just a generated API key. With Constant Contact, however, I am burning a lot of time trying to get something to work and hate the idea of forgoing support for it.

Any examples or recommendations for sample Wordpress plugins is greatly appreciated. I have seen some moderators recommend this plugin, Unfortunately, it's quite short of being a simple example and as other report, it also just crashes upon running.

 

Thanks again for the help,

 

Damon

Highlighted
Honored Contributor

Re: Get Access Token manually vs OAuth 2.0?

Hi Damon,

 

Our PHP SDK has a sample that shows an example of the process but it is worth noting that the sample does use code within the SDK to simplify the process. You can find the sample (And the SDK) here: https://github.com/constantcontact/php-sdk/blob/development/examples/getAccessToken.php

 

Aside from the plugin you mentioned, another example of a wordpress plugin that uses our OAuth flow is MailMunch: https://wordpress.org/plugins/constant-contact-forms-by-mailmunch/

 

One important thing to note is that when using our OAuth flow, we reqiure you to register a single redirect URL that will be given an authorization code which can then be exchanged for the token. Because this is restricted to a single URL for security reasons, the simplest solution is to have a simple page that would catch this redirect and send it to the appropriate wordpress instance. This can be done using the ability within OAuth to attach parameters to the redirect URL when initializing authorization. So if your website was www.integration.com and the user's wordpress page was www.blog.com, you would register the redirect to be www.integration.com/ctctredirect and initiate OAuth using a URL as shown here:

GET https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?response_type=code&client_id=187775cfde5143b&
redirect_uri=http://www.integration.com/ctctredirect?redirect=http://www.blog.com/wp_oauth_redirect 

The parts shown above in bold needs to be URL encoded to avoid errors.

 

Using this, you could have an extremely simple script that lives at http://www.integration.com/ctctredirect and simply performs a 302 redirect to the value of the "redirect" parameter that is provided. In this case, you would use a 302 redirect to http://www.blog.com/wp_oauth_redirect

 

This process allows you to have a plugin that's capable of using OAuth (which requires a single redirect URL) with a dynamic system like wordpress that can exist on any number of separate domains.

 

If you have any questions, please feel free to ask and I will be happy to help!

 

Sincerely,

 

 

Elijah G.
API Support Engineer
Highlighted
Occasional Advisor

Re: Get Access Token manually vs OAuth 2.0?

Hi Elijah,

 

Thanks so much for the references and the explanation! I will take a closer look at the plugin and play around with your recommendation of the redirect script. Thanks again for the quick and thorough response! :)

 

Damon

Highlighted
Occasional Advisor

Re: Get Access Token manually vs OAuth 2.0?

Hi Elijah,

 

I have a few follow-up questions.

 

First, just to be certain I'm understanding correctly - my software must use the redirect uri I registered with my Application to merely forward incoming requests back to the uri of my customer's installation. A 'code' query parameter will be present with the redirect, that I will then use the API to exchange for an access token.

 

Assuming I'm on the right track, let's say I create a PHP script at http://www.integration.com/ctctredirect/. The script could look like this:

 

 

if ( isset( $_REQUEST['redirect'] ) && isset( $_SERVER['QUERY_STRING'] ) ) {
    header( "Location:" . $_REQUEST['redirect'] . "?" . $_SERVER['QUERY_STRING'] );
    exit;
}

 

 

This leads to my questions:

 

(1.) Must this be a 302 redirect or if necessary, would a meta refresh or javascript redirect also be compatible with the Ctct API?

 

(2.) The $_REQUEST['redirect'] variable will contain the entire, urlencoded value I pass during creation of the CtctOAuth2 object, right? I ask because the redirect uri I register with my Application accepts no query parameters. So, if I need additional query parameters, can they be passed to the OAuth2 object and in turn, Ctct will pass them back along to my PHP redirect script?

 

(3.) If the above is all correct, then I wonder if this PHP script I must use is creating an 'open redirect' security vulnerability for phising attacks, etc. I presume I could check the http_referer inside my script but I've read it's easy to spoof and not entirely reliable across all browsers. Do you guys have a best practice you recommend to your developers?

 

Thanks again for helping me through this!

 

Damon

Highlighted
Occasional Advisor

Re: Get Access Token manually vs OAuth 2.0?

Just to follow-up and hopefully save someone else some time:

(1.) In my testing, yes, those other methods of redirecting work too. It doesn't appear that the redirect must be 302. You are basically just passing control back to your program, which is independent of the API.

(2.) Getting the redirect to pass-thru without issue took me a lot of trial/error and forum searches. In the end, I found this answer to be yes - you can attach additional query parameters.

One potential "gotcha" to be careful about is if you're creating the CtctOAuth2 object in different places inside your code (eg, you create your authentication link in a different module than your callback hooks). Be certain that the value you're passing for the third parameter ($redirectUri) is the same everywhere.

For my WordPress implementation, I make use of the admin_post_(action) hook. This allows me to create my OAuth object like this:

    $redirect  = urlencode( admin_url( 'admin-post.php?action=app_ctctauth' ) );
    $oauth_url = ( APP_CTCT_OAUTH_URL . '?redirect=' . $redirect );
    $oauth     = new \Ctct\Auth\CtctOAuth2( APP_CTCT_API_KEY, APP_CTCT_SECRET, $oauth_url );

and then receive the redirect like this:

 

function app_process_ctctauth() {
    // Exchange $_GET['code'] for access token
}
add_action( 'admin_post_app_ctctauth', 'app_process_ctctauth' );

 

 

Highlighted
Honored Contributor

Re: Get Access Token manually vs OAuth 2.0?

Hi Damon,

 

Here's the answers to your questions:

 

 

  1. No, it's not required to be a 302 redirect. I mostly suggest this because it's the least visible for user. A meta refresh would work fine. I would advise against a javascript based redirect as some especially security conscious users allow javascript on a whitelist system, which would potentially prevent the redirect.
  2. You're on the right track. WithOAuth you don't have to register your query parameters in advance and you simply add them to the redirect URL on your initial call toOAuth. Any parameters that are added will be given back to the specified Redirect URL when the process is complete.  So if I were to re-use my original example, I could do the following:
    https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?response_type=code&client_id=187775cfde5143b&
    redirect_uri=http://www.integration.com/ctctredirect?redirect=http://www.blog.com/wp_oauth_redirect&param2=value2&paramx=y
  3. While it is theoretically possible that the open endpoint could be used to redirect users, it seems that the potential for abuse is fairly limited. Specifically because the only information that this endpoint gains access to is the authorization code, which can only be exchanged for an access token if you also possess the consumer secret associated with the API key that was used. Therefore this endpoint can only be used to gain an access token if it is associated with a valid API key that the developer using it owns. In terms if general use for redirecting, you could significantly restrict it by implementing both a referrer check and a simple pattern check on the 'redirect' parameter to look for a portion of the path that is specific to your wordpress install. So if you were to use the redirect above, you could have your script search for wp_oauth_redirect before allowing any redirect.

 

Hopefully the info above clears things up and gives you a path to move forward. If you do have any questions or concerns, please let me know and I am happy to help!

 

Sincerely,

Elijah G.
API Support Engineer
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More
Featured