Hi Elijah, I have a few follow-up questions. First, just to be certain I'm understanding correctly - my software must use the redirect uri I registered with my Application to merely forward incoming requests back to the uri of my customer's installation. A 'code' query parameter will be present with the redirect, that I will then use the API to exchange for an access token. Assuming I'm on the right track, let's say I create a PHP script at http://www.integration.com/ctctredirect/. The script could look like this: if ( isset( $_REQUEST['redirect'] ) && isset( $_SERVER['QUERY_STRING'] ) ) {
header( "Location:" . $_REQUEST['redirect'] . "?" . $_SERVER['QUERY_STRING'] );
exit;
} This leads to my questions: (1.) Must this be a 302 redirect or if necessary, would a meta refresh or javascript redirect also be compatible with the Ctct API? (2.) The $_REQUEST['redirect'] variable will contain the entire, urlencoded value I pass during creation of the CtctOAuth2 object, right? I ask because the redirect uri I register with my Application accepts no query parameters. So, if I need additional query parameters, can they be passed to the OAuth2 object and in turn, Ctct will pass them back along to my PHP redirect script? (3.) If the above is all correct, then I wonder if this PHP script I must use is creating an 'open redirect' security vulnerability for phising attacks, etc. I presume I could check the http_referer inside my script but I've read it's easy to spoof and not entirely reliable across all browsers. Do you guys have a best practice you recommend to your developers? Thanks again for helping me through this! Damon
... View more