Request forbidden due to insufficient authorization scopes.

SOLVED
Go to solution
RyanM244
Retail

Request forbidden due to insufficient authorization scopes.

We upgraded from an old integration to the v3 a couple months ago, and everything was working correctly. I was able to construct a request that gave me an access token and a refresh token, which we then used whenever the auth token expired, and all that worked fine.

 

Over the weekend, the API started returning an Unauthorized response when we called with a Refresh Token to get a new Auth Token, although nothing had changed in our code or the account settings. I then went in and went through the process to get a Code and from there get a new Refresh Token and Auth Token just to see if that helped. After doing that, a connection to add a contact now returns "Request forbidden due to insufficient authorization scopes." I have tried going to /account/user/privileges via the API and it seems to show all privileges are in place.

 

Has anyone seen this or have any insight?

 

 

 

1 ACCEPTED SOLUTION
Courtney_E
Moderator

Hello RyanM244,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

It looks like you may have already resolved your issue, as I see successful list additions via your key from 10/22 after this post was made, but here is some insight into what may have caused the issue:

 

My best guess is that your application is making asynchronous calls. (Having each submission check to see if the access token is still active, and then using the refresh token to generate a new set of tokens if not.) This can potentially result in your application sending an additional refresh request without first verifying that a response from the previous attempt has been received. 

 

From what I can see in our logs, it looks like two list addition requests were sent at nearly the exact same time on 09/18, but the response for the second refresh request comes back before the first one, causing the application to save an expired token set.

 

While this occurrence is rare, here are two options to consider for future prevention if desired:

 

Option 1: If you’re going to refresh the tokens at the time of the request, you’d want to set up your application for synchronous requests, so that until a response is returned by the API, your application will not execute additional requests.

 

Option 2: Have the application refresh the tokens on a timer based on the life of the access token, rather than per request:

How to Make Access Tokens Last Longer

https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

 

Please have a look and let us know if you have any other questions!

 


Regards,

Courtney E.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

View solution in original post

2 REPLIES 2
Courtney_E
Moderator

Hello RyanM244,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

It looks like you may have already resolved your issue, as I see successful list additions via your key from 10/22 after this post was made, but here is some insight into what may have caused the issue:

 

My best guess is that your application is making asynchronous calls. (Having each submission check to see if the access token is still active, and then using the refresh token to generate a new set of tokens if not.) This can potentially result in your application sending an additional refresh request without first verifying that a response from the previous attempt has been received. 

 

From what I can see in our logs, it looks like two list addition requests were sent at nearly the exact same time on 09/18, but the response for the second refresh request comes back before the first one, causing the application to save an expired token set.

 

While this occurrence is rare, here are two options to consider for future prevention if desired:

 

Option 1: If you’re going to refresh the tokens at the time of the request, you’d want to set up your application for synchronous requests, so that until a response is returned by the API, your application will not execute additional requests.

 

Option 2: Have the application refresh the tokens on a timer based on the life of the access token, rather than per request:

How to Make Access Tokens Last Longer

https://developer.constantcontact.com/api_guide/faqs_manage_applications.html

 

Please have a look and let us know if you have any other questions!

 


Regards,

Courtney E.
API Support Specialist

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

View solution in original post

RyanM244
Retail

Courtney,

 

We were able to figure it out. When we reset the token manually, the scope was not set correctly in the request so the new one didn't have access, which is what the Insufficient Authorization Scopes message meant. 

 

That is good to know with those possible solutions, we'll take a look at those going forward.

 

Thanks!

Developer Portal

View API documentation, code samples, get your API key.

Visit Page