Hello user8916157,

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

While the wildcard option has been removed from the redirect URI at the domain root level in our V3 API's new authorization management service in order to improve security, there are still other options available as far as passing additional information via your authorization request.

Within the redirect URI itself,  the lowest level subdomain will still support wildcards.

Example Request URIs:

App Redirect URI: https://subdomain*.example.com/oidc/redirect

Auth request URL Redirect URI: https://subdomainvalue.example.com/oidc/redirect

App Redirect URI: https://*.example.com/oidc/redirect

Auth request URL Redirect URI: https://value.example.com/oidc/redirect

Alternately, the newly added state parameter can also be used to pass additional values through the Authorization Request URL.

Here are three ways that you might implement this, from least secure to most secure:

Option 1:

Use the additional value as the state value (least secure, directly exposes the additional value in the URL, and so isn't secure).

Option 2:

Base64 encode the additional values, and use that as the state value (more secure, but still not random, and can be decoded).

Option 3:

Come up with some formula to encode the additional values + a random value, which your program can decode when you get the response (fairly secure).

Option 4:

Use a completely random state value for each additional value, save it within your application before sending the request associated with that value, then use the state value to look up the additional value upon receiving the response (most secure).

Please have a look and let us know if you have any other questions!