Community Home
Get Help
Events & Webinars
Ideas
Groups
Resources
MyRewards
 

Which OAuth2 for Internal Server App?

LauraG70
Campaign Contributor
‎10-21-2023 09:03 AM
0 Votes
‎10-21-2023 09:03 AM

I'm new to CC Api.

I'll looking to connect our internal web-app to Constant Contact data using the api.

Our web-app will be running cron jobs from our server...so login page prompts are not possible.

 

The application process is asking me to choose:

  • Authorization Code Flow and Implicit Flow
  • Proof Key for Code Exchange (PKCE) Flow
  • Device Authorization Flow

And:

  • Rotating Refresh Tokens
  • Long Lived Refresh Tokens

I will be using cron jobs to periodically pull data from the cc api.

 

Which of the methods listed above is most suitable for this?

 

Thanks

3 REPLIES 3
John__B
Employee
Employee
‎10-23-2023 03:45 PM
0 Votes
‎10-23-2023 03:45 PM

Hello LauraG70,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

Each of our available authorization flows requires the use of a browser window for a Constant Contact user to authorize an application/integration on their account, however, you should only need to do this once as after authorization has been granted, your application/integration can utilize Refresh Tokens to maintain account access.

 

The Device Authorization flow is typically recommended for unattended or input constrained applications, as it does not use redirect URLs, callbacks or the client secret. Instead, it requires getting a device_code, and then the application’s client_id and the device_code are used to get an Access Token. A verification_uri is returned in the response for the initial authorization request, which is used to authorize the application on a Constant Contact account. 

 

As far as choosing between Rotating and Long Lived Refresh Tokens, the difference is that Rotating Refresh Tokens will return a new Refresh Token value each time the token set is refreshed. This is recommended for most applications as it is more secure. Long Lived Refresh Tokens will continue to use the same Refresh Token value indefinitely. 

 

Please have a look and let us know if you have any other questions!

 

Regards,


John B.
API Support Specialist
Did I answer your question? If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
LauraG70
Campaign Contributor
‎10-23-2023 08:18 PM
0 Votes
‎10-23-2023 08:18 PM

Okay thanks,   

 

I was able to authorize and start using the API in some initial tests using Insomnia App.
After reading your response I figured I would give this "device flow" a whirl...no such luck.   There is no setting for Grant Type > OAuth2:Device Flow...like there is for  Grant Type > Oauth2: Authorization Code.   The latter works fine for API access using the Authorization Code method.

[Q1] Do you happen to know how to get "device flow" working in Insomnia App? 

 

[Q2] If I stick with the "Authorization Code Flow"... can I simply refresh the token every 24 hours forever? (or some other recommended time interval) That way my app can run in the background without me ever authorizing again? 

 

Thanks

John__B
Employee
Employee
‎11-01-2023 04:44 PM
In response to LauraG70
0 Votes
‎11-01-2023 04:44 PM

Hello LauraG70,

 

Thank you for your reply.

 

As the Insomnia app is a 3rd party application, we have limited visibility into its functionality, however, if you’re not seeing OAuth2 options for the Device authorization flow, it may be that the application doesn’t support that flow. You may want to check Insomnia’s support team to confirm this. I’m including a link to their support page below.

 

Insomnia Support:

https://insomnia.rest/support

 

To answer your second question, you can refresh your token set with the Authorization Code flow every 24 hours indefinitely to ensure that your application maintains account access.

 

Please note that Insomnia is a 3rd party product and not built or supported by Constant Contact, so we are limited in the support we can provide, but will try to answer any questions to the best of our ability as they pertain to Constant Contact’s API endpoints and functionality.

 

Please have a look and let us know if you have any other questions!

 

Regards,


John B.
API Support Specialist
Did I answer your question? If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up