I am using Ruby, Omniauth, and the mashery API. I have many dynamic subdomains, and so I have to create one ConstantContact/Mashery app that has a generic redirect URI.
Question 1) for the redirect URI in the CC/Mashery app, do I have to put the full path of the redirect, or just the domain?
Question 2) I am using the idea suggested here by Dave Berard ( http://community.constantcontact.com/t5/Developer-Support-ask-questions/Api-Key-Redirect-URI-for-mul... ) to have a generic host for the redirect UI. If I am starting the Oauth2 authentication dance from https://subdomain1.domain.com, then the question is, should I put a top-level domain into the CC/Mashery app redirect URI (e.g. https://domain.com), or can I use a different (generic) subdomain (e.g. https://generic_oauth2.domain.com)?
Question 3) When I start the Oauth2 dance from https://subdomain1.domain.com, but provide the redirect URI https://generic_oauth2.domain.com in the Oauth2 request (which matches the redirect URI provided in the CC/Mashery app), then my app gets back the authorization code, but when it tries to exchange that authorization code for an access_token, I am getting back a reponse of
"error_description": "Invalid client secret."
I've spent 3 days now trying to figure this out :-(
I should add that if I hard code the CC/Mashery app to have a redirect_URI of https://subdomain1.domain.com then everything works, so I know that the credentials I am using, etc. are working. The problem only occurs when I set the CC/Mashery redirect_URI to https://generic_oauth2.domain.com and then supply the same redirect_uri (https://generic_oauth2.domain.com) during the Oauth2 request and callback phases.
The OAuth redirect_uri must match identically they one you entered with the only caveat that you can add query parameters to the redirect_uri that you pass in as part of the actual call to our OAuth 2 flow. This could include a redirect your OAuth server could use to pass back to your referring subdomain. For example, you could use this for your redirect URL:
The spec and our implementation requires we pass those back to you verbatim so you can then use this to redirect back to the correct subdomain on your side. The only requirement we have is that the base URIs match exactly up until the ? parameter.
Question 2 is really a personal preference, as long as you're consistent either solution works. I'd pick whichever one is easier for you to implement and not waste too much time on that part.
The error in question 3 is only returned by us if you are providing an invalid client secret that you get when you created your API key. As long as that matches the client secret that is associated with your API key, you shouldn't see that message. If you have confirmed that's correct, I would recommend emailing our support team the code that is getting the error so we can take a closer look. You can email the team via email@example.com.