Angular library SPA revoke API blocked

When using the revoke API for SPA signout function, the revoke access token POST request does not allow CORS, whereas the behaviour for regular OIDC apps, there is no need to revoke the access token prior to calling the signout function.
See the error message below:


Re-attempts do pass through according to the transaction from the Network tab, but execution of the logout still won’t occur.

Workaround seems to be to add some error clauses and force revocation of the access token prior to calling the signout function.

async logout(e) {
    e.preventDefault();
    e.stopPropagation();
    let token = this.oktaAuth.getIdToken();
    let oktaLogoutUri = environment.END_SESSION_URI + "id_token_hint=" + encodeURIComponent(token)
      + "&post_logout_redirect_uri=" + encodeURIComponent(environment.LOGOUT_REDIRECT_URI);
    try {
      await this.oktaAuth.signOut();
    } catch (err) {
      console.error(err);
      window.location.assign(oktaLogoutUri);
     }
   }

Can you confirm if this is expected behaviour?

It seems you’re making things harder than they need to be. As long as you have http://localhost:4200 or https://<your-domain-name> as a trusted origin, log out with the following should work just fine.

  async logout() {
    await this.oktaAuth.signOut();
  }

See this blog + video for a demo.

1 Like


Haha wow…thank you for such a quick response - appreciate the support!

1 Like