Issue Summary

The CORS (Cross-Origin Resource Sharing) configuration for https://auth.atlassian.com/authorize/.well-known/openid-configuration and https://auth.atlassian.com/.well-known/jwks.json endpoints do not allow access from client applications hosted on different domains. This is observed, as the endpoints are not including the necessary “Access-Control-Allow-Origin” header in its responses, preventing client applications from reading the discovery document needed for proper integration.

Steps to Reproduce

1. Host a simple HTML test-page

2. On your test page, add the following JavaScript snippet to make an AJAX GET request to the https://auth.atlassian.com/authorize/.well-known/openid-configuration endpoint of the Atlassian product:

• • fetch('https://auth.atlassian.com/authorize/.well-known/openid-configuration')
      .then(response => response.json())
      .then(data => console.log(data))
      .catch(error => console.error('Error fetching data:', error)); 

3. Open the hosted HTML page in a web browser and observe the console in the browser’s developer tools.

4. Look for CORS-related error messages in the console, indicating that the request was blocked due to missing CORS headers.

Expected Results

The Access-Control-Allow-Origin setting for these endpoints should be adjusted to all, allowing public access and enabling external users to successfully connect.

Actual Results

External users face issues accessing https://auth.atlassian.com/authorize/.well-known/openid-configuration and https://auth.atlassian.com/.well-known/jwks.json due to CORS policies restricting Access-Control-Allow-Origin to Atlassian domains.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available