Revoking an outh2 token

I am using the /authorize /token endpoints from a browser app to login using oauth2 but I am unable to log the user out using /revoke. The previous two endpoint support cors but the /revoke endpoint doesn’t. I tried adding my origin to The trusted Origins but that didn’t work. When reading through the cors docs it mentions that Cors enabled apis and endpoints should be marked with a Cors logo I haven’t seen this logo used in any of the documentation outside of the cors. The logout token is for id token which is not for the authorization flow. I seem unable to log the user out of the default authorization server. I can’t clear the information in my app but okta is caching the sign in information. The only way to remove the session is to complete close the browser. This seems like a security flaw. Am I missing something how to I revoke the token?

Are you getting a CORS error for the /revoke endpoint, or are you getting a different kind of error?

Are you making the /revoke request to the same issuer as in your authorize request, e.g if you make a request to, are you then trying to make a request to

I was getting confused by

Has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

from the browser. I removed the bearer token from the request and i can make a /revoke call but this doesn’t stop okta from auto logging in the user after it was revoked. How do I clear the saved session information that okta uses to login the user?

I figure out how to call /logout by rereading the docs and requesting the openid for the scope in the /token. Can successfully call /logout which logs me out.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.