Oauth2 access token changes every time you authorize

Occasional Participant

Oauth2 access token changes every time you authorize

From what I've obsereved, every time you authenticate with OAuth2, the access token changes. This is really bad for me because my App relies on storing the access token in the datastore to be used later. If it changes then everything will break. I know for sure that other similar systems to Constant Contact that use Oauth2 don't change this API Key / Access Code. Is there anything I can do in terms of some parameter I can pass in to make the access code persistant? 

 

Thanks for all of your help with my other issues!

~Elan 

3 REPLIES 3
Moderator

Hi Elan,


The Access Token should only change if you go through the OAuth 2 flow to get a new token.  You should be able to store the Access Token for future use and authenticate future requests with that same token.  We currently set the expiration time for access tokens to a very long time so you would not see the token expire in any of your tests.

 

If you have a code example that shows how you are receiving new access tokens, please either post it here with your personal information obfuscated or send it via email to webservices@constantcontact.com.

Dave Berard
Senior Product Manager, Constant Contact
Occasional Participant

Thanks for your response Dave. It's the combination the fact that "The Access Token should only change if you go through the OAuth 2 flow to get a new token" and that OAuth 2 doesn't provide us with the username of the user that causes me the problem. I'll describe the flow of my app so you can see what I mean.

 

User A creates a "group" (a term related to my app) that is integrated with a particular Constant Contact list of his (call it Group 1). As part of group creation, he goes through the Oauth2 flow and I store the access token as an attribute of the group along with the list ID. I also prompt for his username (which is a workaround since Oauth2 doesn't give it to me) and I also store this as an attribute of the group as well.

 

Then, other users can interact with User A's group, but only if they are in User A's group's Constant Contact list. So whenever a User B tries to interact with the group, I do a check to see if user B is in user A's Constant Contact list. For this I use the Constant Contact API passing in the username and access token as parameters.

 

Here's the rub: what if User A decides to create another group? Or what if a User B has access to User A's Constant Contact creditials and creates a group? Now the access key for group 1 is invalid and next time a user tries to interact with the group, an error will occur.

 

I could theoretically do a workaround: whenever a user performs an Oauth2, I can loop through groups associated with his username and update the access token. The problem is, I don't know the username! I ask the user to tell it to me, but what if they type it in incorrectly? They'll go through OAuth2, change their access token and I'll have no way to know which groups to update.

 

I hope this is clear. Please help!


~Elan

We do currently have a defect in our OAuth 2.0 flow where the Username is not being returned in the response JSON with the access token.  This is something we're addressing now and hope to have updated in our next software release.  At this point, the only option is to prompt for the username like you mentioned.  We'll update the forums once this makes it into production.

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page