The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

Problem with Oauth2 and subdomains

Highlighted
Occasional Participant

Problem with Oauth2 and subdomains

I am using Ruby, Omniauth, and the mashery API. I have many dynamic subdomains, and so I have to create one ConstantContact/Mashery app that has a  generic redirect URI. 

 

Question 1) for the redirect URI in the CC/Mashery app, do I have to put the full path of the redirect, or just the domain?

 

Question 2) I am using the idea suggested here by Dave Berard ( http://community.constantcontact.com/t5/Developer-Support-ask-questions/Api-Key-Redirect-URI-for-mul... ) to have a generic host for the redirect UI. If I am starting the Oauth2 authentication dance from https://subdomain1.domain.com, then the question is, should I put a top-level domain into the CC/Mashery app redirect URI (e.g. https://domain.com), or can I use a different (generic) subdomain (e.g. https://generic_oauth2.domain.com)?

 

Question 3) When I start the Oauth2 dance from https://subdomain1.domain.com, but provide the redirect URI https://generic_oauth2.domain.com in the Oauth2 request (which matches the redirect URI provided in the CC/Mashery app), then my app gets back the authorization code, but when it tries to exchange that authorization code for an access_token, I am getting back a reponse of 

{
"error": "invalid_client",
"error_description": "Invalid client secret."
}

 

I've spent 3 days now trying to figure this out :-(

4 REPLIES 4
Highlighted
Occasional Participant

Re: Problem with Oauth2 and subdomains

I should add that if I hard code the CC/Mashery app to have a redirect_URI of https://subdomain1.domain.com then everything works, so I know that the credentials I am using, etc. are working. The problem only occurs when I set the CC/Mashery redirect_URI to https://generic_oauth2.domain.com and then supply the same redirect_uri (https://generic_oauth2.domain.com) during the Oauth2 request and callback phases.

Highlighted
Moderator

Re: Problem with Oauth2 and subdomains

The OAuth redirect_uri must match identically they one you entered with the only caveat that you can add query parameters to the redirect_uri that you pass in as part of the actual call to our OAuth 2 flow.  This could include a redirect your OAuth server could use to pass back to your referring subdomain.  For example, you could use this for your redirect URL:

 

redirect_uri=http%3A%2F%2Fgeneric_oauth2.domain.com%3Finitial_domain%3Dsubdomain1.domain.com

 

The spec and our implementation requires we pass those back to you verbatim so you can then use this to redirect back to the correct subdomain on your side.  The only requirement we have is that the base URIs match exactly up until the ? parameter.

Dave Berard
Senior Product Manager, Constant Contact
Highlighted
Occasional Participant

Re: Problem with Oauth2 and subdomains

Dave, thanks for clarifying that.

 

Any thoughts on Questions 3 and 2?

 

Highlighted
Moderator

Re: Problem with Oauth2 and subdomains

Question 2 is really a personal preference, as long as you're consistent either solution works.  I'd pick whichever one is easier for you to implement and not waste too much time on that part.

 

The error in question 3 is only returned by us if you are providing an invalid client secret that you get when you created your API key.  As long as that matches the client secret that is associated with your API key, you shouldn't see that message.  If you have confirmed that's correct, I would recommend emailing our support team the code that is getting the error so we can take a closer look.  You can email the team via webservices@constantcontact.com

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More
Featured