Refresh Token

VAFBM
Frequent Participant

Refresh Token

I know the access_token expires after 2 hours without use and 24 hours at most.

How soon does the refresh token expire?

Neil

14 REPLIES 14
Jimmy_D
Moderator

Hello @VAFBM,

 

Thank you for reaching out to Constant Contact's API Support.

 

Based on our settings/documentation and testing; the Refresh Token does not expire. Please keep in mind our production tokens have not gone more than 12 months, but they are not supposed to expire.


Regards,
Jimmy D.
Tier II API Support Engineer

If the refresh tokens don't expire, how should apps handle the following error?

 

{ error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' }

 

When this happens in an app that's machine to machine that doesn't receive user input, there doesn't seem to be a way to recover and refresh the tokens.

 

Since the CC API seems to ignore a machine to machine scenario where refresh tokens really don't make a whole lot of sense, especially since using the API key and secret seems reasonable when a user's browser isn't involved, I'm hoping someone can provide information on how to recover from an error when a refresh token becomes invalid. Otherwise, please confirm that the CC API cannot be (reliably) used in a machine to machine scenario.

Hi @GRRA,

 

That error message occurs when the Refresh Token you used was invalidated by generating another Refresh Token. When using the oAuth flow you would generate one Access/Refresh Token for a single Constant Contact account and then use that Refresh Token to generate a new Access/Refresh Token. When you generate the new Access/Refresh Token this will invalidate the previous tokens.


Regards,
Jimmy D.
Tier II API Support Engineer

There are at least two scenarios I can see where this can break down - 1) error occurs after receiving the updated tokens but before the token is stored in the db, and 2) multiple requests to refresh the tokens in flight simultaneously. In the first case, there wouldn't be a way to establish a new refresh token in a machine to machine scenario since the original refresh token would be invalid and there’s no user to authenticate and generate a new set of tokens. In the other case, the second request to refresh the tokens could update the db storing the refresh token and cause the refresh token obtained by the first request to be invalidated before the first overall request is complete.

 

I still don’t understand why this flow would be appropriate in machine to machine scenarios where all requests are related to a single account. Why can't the API key and secret be used when exposing the secret via user's browser isn't a concern? I don't think customers should be required to store tokens or any other state just to use the CC API.

I second this point. You are making it nearly impossible to implement this in any CMS. I've added a hook to sign people up in my CMS and I have to physically open my browser and refresh the token using your redirect URL all the time because this token keeps being invalidated and I am doing it the proper way by using the refresh token, NOT the access token. How in any world is this practical. 

We 1000% agree with you and have the same problem.

We are working on a video to clearly document the problem and the way we are approaching it, perhaps it is Developer error on our end, but I wanted to confirm and say to you "yes... this is a problem... we see it too"

I am also facing this issue as I am using same refresh token that was generated at OAuth but getting the same error { error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' } and i have not done any OAuth that invalidate refresh token

I've run into the same scenario. The `Server Flow` is not a Server Flow at all if it requires client interaction to authenticate.

 

My refresh_token keeps getting invalidated also for some reason.

Hi @JustinZ21,

 

The server flow refers to an application that is server side application versus a client side application such a mobile app.

 

If your Refresh Token is getting invalidated that is most likely due to generating another set of Access/Refresh Tokens for the same account.


Regards,
Jimmy D.
Tier II API Support Engineer

Hi Jimmy,

 

I just wanted to clarify what you are saying here regarding refresh tokens. In this scenario what would the outcome be:

 

I have one Constant Contact account. I have two accounts with another service. In each of my accounts with the other service I create an integration with Constant Contact, both these integration connections are using the same OAuth client as they are both from the same service. In this case will the second connection cause the refresh token for the first connection to be invalidated?

user747644
Participant

do we have any option to revoke the generated refresh token?

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

At this time, the existing refresh token can be invalidated either by using it, or by generating another token. When you generate the new Access/Refresh Token this will invalidate all previous tokens.


Regards,

Courtney E.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
user257273
Participant

I have an application developed with React and Gatsby and deployed in Netlify. I've been facing the same issues with the tokens (expiring in 24 hours the most) and indeed I tried to re-generate new ones through the refresh token!

According to the manual, a token is re-generated via a post request to https://idfed.constantcontact.com/as/token.oauth2 including the appropriate headers (grant_type and refresh_token). I am using axios api to make that call.

The problem here is that when I post this request I am experiencing an error regarding CORS policy (Access to XMLHttpRequest at 'https://idfed.constantcontact.com/as/token.oauth2' from origin 'http://localhost:9000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.). The same error raises when I run it in production server and not only in localhost. I've tried many ways to resolve it but none worked. Do you have any idea how can I resolve it?

Hello user257273,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

In our V3 API, CORS is supported and the response should include an Access-Control-Allow-Origin header.

 

However, based on the logs for the API key that has recently connected with the account that you are posting from, I was seeing quite a few responses with the following error: "invalid_grant: unknown, invalid, or expired refresh token"

 

While the V3 API’s access tokens automatically expire two hours after their last use and have a maximum lifetime of 24 hours, refresh tokens will not expire unless they have been used and/or a new token set has been generated. However, refresh tokens can only be used once, as generating a new set of tokens causes all previous tokens (access and refresh) to expire. 

 

Once you have your first set of tokens, you’ll want to set both the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 5 of the OAuth2.0 Server Flow to get the new set of tokens it can assign new values to both of those variables to maintain an authenticated connection.

 

V3 API - Refresh the Access Token

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-5-refresh-the-access-token

 

You can either have the application refresh the tokens on a timer based on the life of the access token, or you can have each submission check to see if the access token is still active, and then use the refresh token to generate a new set of tokens if not. 

 

How to Make Access Tokens Last Longer

https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

 

If you feel that my reply was not a good fit for your inquiry, please feel free to email our team directly at webservices@constantcontact.com and provide us with the API key you are using, the username for the Constant Contact account you are connecting with, as well as the full request, most recent refresh token value, and the full error response that you are receiving so that we can look into the issue with you further.

 

Please have a look and let us know if you have any other questions! 


Regards,

Courtney E.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Developer Portal

View API documentation, code samples, get your API key.

Visit Page