I am trying to build some integration on top of the Octopus Deploy API to help my operations team initiate deployments currently configured in our on-prem hosted instance of Octopus Deploy. My application is a REACT app hosted on a separate domain to octopus. The intent of my application is when user’s need to interact with Octopus, they first get authenticated by POST-ing to the /integrated-challenge endpoint which will log them using the already configured NTLM authenticated between their browser/workstations and our Octopus instance.
The issue I’m having is that when I get the response from /integrated-challenge my browser (Chrome/Edge) blocks the Octopus cookies because the samesite attribute is not set and defaults to “lax”. This means that subsequent requests to the Octopus API return a 401 as the cookies are not transmitted.
Is there a way to configure the samesite attribute for Octopus cookies? Could Octopus server be made to add samesite=none if requests were coming from domains on CORs whitelist?