OAuth2: Make sure we actually handle CORS requests for known filter e…

…ndpoints.

Add support for handling CORS request and CORS preflight request on the known
endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`.
The appropriate CORS headers are added to the response.

We ensure that the `Access-Control-Allow-Origin` header is set because some
browsers are more strict than others. In certain versions of Safari we have
witnessed not including the origin to cause Safari to reject the CORS
request.

While we respond to both CORS preflights and to CORS requests, we generally do
_not_ allow configuring the response: when the OAuth2 filter is in play,
there's pretty much only one Right Way to Respond.

Co-authored-by: Lance Austin <laustin@datawire.io>
Signed-off-by: Flynn <flynn@datawire.io>
(cherry picked from commit d2a22ec493d1d5e3986a93cbaef45eef847875fe)

CHANGELOG.md

@@ -92,6 +92,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
   browser to the last origin listed, rather than returning to the original URL.  This has been
   fixed.
 
+- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and
+  `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would
+  cause the browser to reject the request. This has now been fixed and these endpoints will attach
+  the appropriate CORS headers to the response.
+
 ## [2.3.2] TBD
 [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2
 
@@ -107,6 +112,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
   browser to the last origin listed, rather than returning to the original URL.  This has been
   fixed.
 
+- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and
+  `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would
+  cause the browser to reject the request. This has now been fixed and these endpoints will attach
+  the appropriate CORS headers to the response.
+
 ## [3.0.0] 2022-06-29
 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0
 

docs/releaseNotes.yml

@@ -50,6 +50,13 @@ items:
           adjust the cookies for an active login (which only happens when using a refresh token), it
           would erroneously redirect the web browser to the last origin listed, rather than
           returning to the original URL.  This has been fixed.
+      - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints
+        type: bugfix
+        body: >-
+          Previously, the <code>OAuth2</code> filter's known endpoints <code>/.ambassador/oauth2/logout</code>
+          and <code>/.ambassador/oauth2/multicookie</code> did not understand CORS or CORS preflight request
+          which would cause the browser to reject the request. This has now been fixed and these endpoints will
+          attach the appropriate CORS headers to the response.
   - version: 2.3.2
     date: 'TBD'
     notes:
@@ -68,6 +75,13 @@ items:
           adjust the cookies for an active login (which only happens when using a refresh token), it
           would erroneously redirect the web browser to the last origin listed, rather than
           returning to the original URL.  This has been fixed.
+      - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints
+        type: bugfix
+        body: >-
+          Previously, the <code>OAuth2</code> filter's known endpoints <code>/.ambassador/oauth2/logout</code>
+          and <code>/.ambassador/oauth2/multicookie</code> did not understand CORS or CORS preflight request
+          which would cause the browser to reject the request. This has now been fixed and these endpoints will
+          attach the appropriate CORS headers to the response.
   - version: 3.0.0
     date: '2022-06-29'
     notes: