We did not ever find a solution, so at that time I resorted to simply using API v2. Since then I have learned that V2 is going to be sunsetting sometime in 2021, so I am back trying to understand how API v3 works. Here is the question I am posting to stackoverflow: We have an internal .Net Framework service which uses the Constant Contact v2 API that has one role: Allow multiple public-facing sites to add email addresses to our different mailing lists when the user clicks a button or selects a checkbox to add their email address to the given mailing list. I am rewriting it to be a .Net Core framework using Constant Contacts V3 API. From looking at the Constant Contact’s website (and others), it looks like our application should follow the "OAuth 2.0 Server Flow". I am failing to understand step #2, the "add the authorization request URL to your application". From all indications this is the phase where the human has to give the website access to their data on API system that is being used. In this case the “system” is Constant Contact and the website is my company, but the ‘user’ is not the human, but also my company. My impression of what needs to happen is this: A human browse to our web site, they fill out a form where they provide their email address and clicking on the <add to mailing list> checkbox. For the website to processes this request, it goes through the 5 steps talked about on the "OAuth 2.0 Server Flow" page. In this case the website using the company’s username/password will be requesting access to the companies Constant Contact data. In doing so, it will get the needed Access Token to add the user to the mailing list. I have two issues: Q1: I have no idea how the website gets around the interactive phase of step 2. All the documentation I can find talks about it being a human interaction, but in this case that is the website, itself. Q2: Considering the companies username/password are needed to create the API key and secret, it seems like this while process is totally redundant. It would seem that all the wonderful security that is added by using OAuth2.0 just went out the door because now the web application has to have both the username/password and API key/secret embedded in it. It is Q2 that makes me question whether or not I have the correct understanding of how all this is to work. I would simply love to see a WORKING example (IN ANY language) of how a website can add an email address to a given Constant Contact mailing list. It would go a long way to see one program that from start to finish authentic with Constant Contact via API V3, adds an email address to a list, drops the authentication token correctly.
... View more
We have an internal .Net Framework service using v2 API that has one role: Allow multiple public-facing sites to add email addresses to our different mailing lists. This internal service manages all the authentication with CTCT for the public-facing sites. The task at hand is to upgrade the service to .Net Core 3.1. While not a requirement, it seems logical to upgrade from v2 API to v3 API. Q1: Considering the simplicity of the service, is there any compelling reason to upgrade to v3? Q2: Is this interpretation of reading the OAuth 2.0 Server Flow correct? Considering this service is used by only our public-facing web sites, the process of getting the Authorization Code is regarding our one account with CTCT getting access to CTCT. Because of this, it should be transparent to the public-facing web sites. Based on that being a correct understanding, the following code has been modifying from code examples in the Beginner C# V3 API Example post and returns an error of: "error_key": "not_found", "error_message": "The requested resource was not found." var baseUrl =
"https://api.cc.email/v3/idfed?client_id=" + apikey + "&redirect_uri=https%3A%2F%2Flocalhost%3A5000&response_type=code&grant_type=authorization_code";
var client = new RestClient(baseUrl);
var request = new RestRequest(Method.POST);
IRestResponse response = client.Execute(request); From the Beginner C# V3 API Example support said this: Our V3 API is only able to be used with OAuth so there is no way to bypass the initial connection. However, once you have connected a Constant Contact account and received the initial access token and refresh token, you would use the refresh flow to exchange the refresh token for a new access token and refresh token without having to have the account owner log in again. Q3: Is there an example out there of how the service can acquire the initial access token?
... View more