Angular library SPA revoke API blocked

andrewc · June 9, 2021, 7:54pm

When using the revoke API for SPA signout function, the revoke access token POST request does not allow CORS, whereas the behaviour for regular OIDC apps, there is no need to revoke the access token prior to calling the signout function.
See the error message below:

Re-attempts do pass through according to the transaction from the Network tab, but execution of the logout still won’t occur.

Workaround seems to be to add some error clauses and force revocation of the access token prior to calling the signout function.

async logout(e) {
    e.preventDefault();
    e.stopPropagation();
    let token = this.oktaAuth.getIdToken();
    let oktaLogoutUri = environment.END_SESSION_URI + "id_token_hint=" + encodeURIComponent(token)
      + "&post_logout_redirect_uri=" + encodeURIComponent(environment.LOGOUT_REDIRECT_URI);
    try {
      await this.oktaAuth.signOut();
    } catch (err) {
      console.error(err);
      window.location.assign(oktaLogoutUri);
     }
   }

Can you confirm if this is expected behaviour?

mraible · June 9, 2021, 8:26pm

It seems you’re making things harder than they need to be. As long as you have http://localhost:4200 or https://<your-domain-name> as a trusted origin, log out with the following should work just fine.

  async logout() {
    await this.oktaAuth.signOut();
  }

See this blog + video for a demo.

andrewc · June 9, 2021, 8:43pm

Haha wow…thank you for such a quick response - appreciate the support!

system · February 10, 2024, 12:30am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.