We have an internal .Net Framework service using v2 API that has one role: Allow multiple public-facing sites to add email addresses to our different mailing lists. This internal service manages all the authentication with CTCT for the public-facing sites. The task at hand is to upgrade the service to .Net Core 3.1. While not a requirement, it seems logical to upgrade from v2 API to v3 API.
Q1: Considering the simplicity of the service, is there any compelling reason to upgrade to v3?
Q2: Is this interpretation of reading the OAuth 2.0 Server Flow correct?
Considering this service is used by only our public-facing web sites, the process of getting the Authorization Code is regarding our one account with CTCT getting access to CTCT. Because of this, it should be transparent to the public-facing web sites.
Based on that being a correct understanding, the following code has been modifying from code examples in the Beginner C# V3 API Example post and returns an error of:
"error_message": "The requested resource was not found."
var baseUrl = "https://api.cc.email/v3/idfed?client_id=" + apikey + "&redirect_uri=https%3A%2F%2Flocalhost%3A5000&response_type=code&grant_type=authorization_code"; var client = new RestClient(baseUrl); var request = new RestRequest(Method.POST); IRestResponse response = client.Execute(request);
From the Beginner C# V3 API Example support said this:
Our V3 API is only able to be used with OAuth so there is no way to bypass the initial connection. However, once you have connected a Constant Contact account and received the initial access token and refresh token, you would use the refresh flow to exchange the refresh token for a new access token and refresh token without having to have the account owner log in again.
Q3: Is there an example out there of how the service can acquire the initial access token?
We did not ever find a solution, so at that time I resorted to simply using API v2. Since then I have learned that V2 is going to be sunsetting sometime in 2021, so I am back trying to understand how API v3 works. Here is the question I am posting to stackoverflow:
We have an internal .Net Framework service which uses the Constant Contact v2 API that has one role: Allow multiple public-facing sites to add email addresses to our different mailing lists when the user clicks a button or selects a checkbox to add their email address to the given mailing list. I am rewriting it to be a .Net Core framework using Constant Contacts V3 API.
From looking at the Constant Contact’s website (and others), it looks like our application should follow the "OAuth 2.0 Server Flow". I am failing to understand step #2, the "add the authorization request URL to your application". From all indications this is the phase where the human has to give the website access to their data on API system that is being used. In this case the “system” is Constant Contact and the website is my company, but the ‘user’ is not the human, but also my company.
My impression of what needs to happen is this:
A human browse to our web site, they fill out a form where they provide their email address and clicking on the <add to mailing list> checkbox.
For the website to processes this request, it goes through the 5 steps talked about on the "OAuth 2.0 Server Flow" page. In this case the website using the company’s username/password will be requesting access to the companies Constant Contact data. In doing so, it will get the needed Access Token to add the user to the mailing list.
I have two issues:
Q1: I have no idea how the website gets around the interactive phase of step 2. All the documentation I can find talks about it being a human interaction, but in this case that is the website, itself.
Q2: Considering the companies username/password are needed to create the API key and secret, it seems like this while process is totally redundant. It would seem that all the wonderful security that is added by using OAuth2.0 just went out the door because now the web application has to have both the username/password and API key/secret embedded in it.
It is Q2 that makes me question whether or not I have the correct understanding of how all this is to work.
I would simply love to see a WORKING example (IN ANY language) of how a website can add an email address to a given Constant Contact mailing list. It would go a long way to see one program that from start to finish authentic with Constant Contact via API V3, adds an email address to a list, drops the authentication token correctly.
It looks like we have already followed up with you directly via email, but here is the information again for visibility on the forum:
Q1: The compelling reasons for upgrading to V3 would be better security, better documentation, more functionality, active development, and ongoing support. There will be a point where V2 will be depreciated. If the plan is to upgrade to .Net Core 3.1 then I would recommend upgrading to the V3 API to ensure you're ahead of the curve.
Q2: Correct, there is no way to bypass the connection and the flow is accurate. Once the account has been connected you can then use the OAuto2.0 flow to exchange the refresh token for a new refresh and access token without the owner needing to login again. For further information on the OAuth 2.0 Server flow, here is an article which goes into further detail https://developer.constantcontact.com/api_guide/server_flow.html
Q3: Other than our V3 documentation on how to obtain an access token, we don't have any primary samples we can supply. Just in case, below is a link to documentation on an API tester using V3.
Seriously no way to upload new contacts without a user being involved? You do know that people have websites that collect user info and developers want an easy way to add contacts to their list, vs exporting an importing manually? If I can do this with Stripe and credit cards, certainly should be able to do it with email list.
Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.
After you complete the OAuth2 server flow for V3, Constant Contact returns an access token and refresh token. You can use access tokens to make requests using the V3 API, and you can use the refresh tokens to obtain new access tokens without any user input. This ensures that you only need to authenticate the account you’ll be connecting to once. After the initial authentication, you’ll just use the refresh token and access token to complete your future requests.
V3 API OAuth2.0 Server Flow