cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up authentication but need a variable redirect URI

SOLVED
Occasional Participant

Re: Setting up authentication but need a variable redirect URI

Hi Jimmy,

 

Thanks for your reply. 

 

In this scenario you can have multiple Access Tokens to the same Constant Contact account with the v3 API. I just tested this to verify it works.

 

Yes this works for sure. I can get multiple Access Tokens in my websites. The issue is that I CANNOT refresh tokens. When the access token expired and I tried to refresh token, only the last authorized website can get the tokens, but not the others. I got the 400 error with a message like this:

 

{"error_description":"unknown, invalid, or expired refresh token","error":"invalid_grant"}

That's why I suspect the refresh token is invalidated every time when I authorize a new website. To reproduce this, can you try:

 

1. Authorize on multiple websites.

2. Refresh tokens on all sites.

3. See if you can get all sites the refreshed tokens, or if the error message shows up. 

 

If it works at your end, can you explain in what scenario I could get the above error message? Thanks! 

Moderator

Re: Setting up authentication but need a variable redirect URI

Hi @user24983,

 

You are correct. I was going through the Access Token phase, but did not go through the Refresh Token phase. You can get multiple Access Tokens, but when you then try to refresh those it "breaks" the tokens. I was only able to refresh one token.

 

It appears this is set up purposefully for security reasons. I understand your scenario of having one Constant Contact account connected to two different installations (websites). Can you tell me how often this occurs with your plugin? I'll take this to our engineers with your use case and the amount of times you run in to this and see what they say.


Regards,
Jimmy D.
Tier II API Support Engineer
Occasional Participant

Re: Setting up authentication but need a variable redirect URI

Hi Jimmy,

 

Thanks for your reply. I understand this could be for security reasons. I noticed in CTCT API we cannot revoke a refresh token and I guess that's why such auto invalidation is needed.

 

As to how often would this occur, from my experience it's very common to have subscription forms on websites nowadays, especially for marketing websites. And it's also very common, as you can imagine, that CTCT customers could run multiple websites and taking subscriptions from different websites and send them to different lists to segment contacts, it's how email marketing businesses work these days. 

 

If there's no solution we need to make the customers aware of it (or our plugin will look buggy). And we then probably suggest users register their apps if that's the case. We'd really appreciate if it's something can be changed in the API, since we all know for non-techy people, registering their own apps will be a challenging work.

 

When you get the chance, can you let me know your team's decision on it? Thank you!

Still need help?
You can post a new message in the Community or find us on Twitter Mon-Fri 8am - 8pm ET. We've got real people waiting to help you out. Click below to start a conversation!