I believe the oAuth2 implementation you currently have suffers from a potential security flaw. Luckily, allowing the redirect_uri to have a state parameter that is returned with the access code solves the problem and is an easy fix.
Thank you for reaching out to Constant Contact API Developer Support and for your patience. My team is here to assist outside software developers with questions about building into Constant Contact's API.
Your feedback regarding the use of OAuth2.0, has been submitted for review and consideration by our team. Your experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.
Courtney E. API Support Specialist
Did I answer your question? If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.