I believe the oAuth2 implementation you currently have suffers from a potential security flaw. Luckily, allowing the redirect_uri to have a state parameter that is returned with the access code solves the problem and is an easy fix.
See this article for a better explination - https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authen...
Thank you for reaching out to Constant Contact API Developer Support and for your patience. My team is here to assist outside software developers with questions about building into Constant Contact's API.
Your feedback regarding the use of OAuth2.0, has been submitted for review and consideration by our team. Your experience with this request is essential to improving our product, so thank you for reaching out to us regarding this matter.