Angular library SPA revoke API blocked

Questions
1

When using the revoke API for SPA signout function, the revoke access token POST request does not allow CORS, whereas the behaviour for regular OIDC apps, there is no need to revoke the access token prior to calling the signout function.
See the error message below:

image
image1822×47 43 KB

Re-attempts do pass through according to the transaction from the Network tab, but execution of the logout still won’t occur.

Workaround seems to be to add some error clauses and force revocation of the access token prior to calling the signout function.

async logout(e) {
    e.preventDefault();
    e.stopPropagation();
    let token = this.oktaAuth.getIdToken();
    let oktaLogoutUri = environment.END_SESSION_URI + "id_token_hint=" + encodeURIComponent(token)
      + "&post_logout_redirect_uri=" + encodeURIComponent(environment.LOGOUT_REDIRECT_URI);
    try {
      await this.oktaAuth.signOut();
    } catch (err) {
      console.error(err);
      window.location.assign(oktaLogoutUri);
     }
   }

Can you confirm if this is expected behaviour?

2

It seems you’re making things harder than they need to be. As long as you have http://localhost:4200 or https://<your-domain-name> as a trusted origin, log out with the following should work just fine.

  async logout() {
    await this.oktaAuth.signOut();
  }

See this blog + video for a demo.

1 Like
3

image
image788×500 52.1 KB

Haha wow…thank you for such a quick response - appreciate the support!

1 Like
4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.