We have managed to get our AD to play along and reproduce this issue and as a result now have a fix we can implement.
To help us plan the release/rollout for this issue, if we made this fix available from 2020.3 and onward, would you be willing to upgrade to the latest generally-available release to get this fix? Alternatively, we can release a new version of 2020.2 with this fix, but it will require a little more time to release as there have been some recent changes in this area of the code base.
Just letting you know that we have released the cookie domain and CORS header fixes as part of version 2020.3.2. If you are able to upgrade to this version, then it should resolve the issues you have been experiencing. Please let us know if that isn’t the case though.
We just upgraded to 2020.3.2 and now Octopus is sending the CORS headers in response to the /integrated-challenge endpoint. We do still have an issue, because the value for Access-Control-Allow-Origin is not correct.
We currently have the CORS whitelist configured as the wildcard. This should return a header like the following (assuming the request is coming from that host) Access-Control-Allow-Origin: http://octopus.internaldomain.corp
But the integrated challenge endpoint is returning this header: Access-Control-Allow-Origin: *
Other endpoints, like /api are returning the correct header.
Apologies for the slow reply on this. I am looking at this for you today and it looks like we did indeed miss some of the behaviors from server for this particular endpoint. I will get this fixed up as soon as possible. I should mention that the release may still be a little while off yet, so may require me provide an updated version of the extension ready for you while we wait for the release to go out the door. I will let you know as soon as I have that ready for you.
We have once again made some changes on our which should bring the endpoint in-line with the existing api endpoints. You can access the updated extension here.
It would be greatly appreciated if you could once again give this a try during a maintenance window by taking a backup of your BuiltInExtensions folder, stopping your Octopus service, replacing the extension dll and restarting your Octopus service.
The changes will make sure we honor the Origin header and will respond with a Access-Control-Allow-Origin based on this header value when you have set a wildcard whitelist, which is the same as what the Octopus server does for the other api endpoints. Please let us know if that fixes the issue for you.
Apologies, it would seem the milestone was incorrectly assigned to the issue. I have adjusted it accordingly. The issue has definitely been fixed in latest releases, so would suggest 2020.3.6 or 2020.4.0 at this point.