Okta/okta-auth-js ^4.3.0" okta/okta-vue 3.0.0 this.$auth.signOut() CORS error


I am using the this.$auth.signOut() as shown in https://github.com/okta/samples-js-vue/blob/master/okta-hosted-login/src/App.vue

When I click the logout button, I get:
Access to fetch at ‘https://[okta domain]/oauth2/default/v1/revoke’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

http://localhost:8080 is in both the login and logout URLs section of the application.

Login and all of the other methods (e.g., getUser()) work fine, it is just the sign out function that seems to be having an issue.

Why does everything else work but sign out throws the CORS error?

If you add http://localhost:8080 as a trusted origin in API > Trusted Origins, it should fix the issue.

1 Like

Ok it is an organisationally managed account. I don’t see that option in the admin UI.

I do have my own developer account and do see that menu item there.

Guess I will have to see if they can do that. Thanks.

Out of curiosity, why does everything else work “out of the box”, but the sign out require the CORS setup?

Unlike some of the other endpoints used (authorize, token, etc), the revoke endpoint does require that a Trusted Origin be added for the application to be allowed to make the request.

Yeah I was more curious about the reasoning behind that design decision. What is special about revoke that it got the distinction or requiring the CORS setup vs the other endpoints?