CORS - No 'Access-Control-Allow-Origin' when revoke token

Question

I am trying to call API /v1/revoke from an Angular 6 client with OKTA implicit flow (using library angular-oauth2-oidc). From the sample program, I add a new function revokeToken() as the library doesn't implement a revoke-token function. I include "http://localhost:8080" as a trusted origin but still get the following error:

Access to XMLHttpRequest at 'https://mydevid.oktapreview.com/oauth2/default/v1/revoke' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is the setup from OKTA

Here is my function in an Angular component

revokeToken() {
    const httpOptions = {
      headers: new HttpHeaders()
        .set('accept', 'application/json')
        .set('authorization', 'Basic ' + authConfig2.clientId)
        .set('content-type', 'application/json')
    };

    const body = {
      'token': this.access_token,
      'token_type_hint': 'access_token'
    };

    this.http.post(authConfig2.issuer + '/v1/revoke', body, httpOptions)
      .subscribe(console.log);
}

Could someone advise what I have done wrong or not setup properly?

Thanks.

score -1 · Answer 1 · answered Mar 05 '19 at 04:30

-1

revoke is a backend call. You need to call /revoke from the back-end(server). You can test this theory by trying it via postman and it should work.

answered Mar 05 '19 at 04:30

Sara

212
1
6

Does this mean it's hopeless for front-end client to invoke /api/revoke? – Zee Mar 05 '19 at 09:08
It is designed this way for security reasons so I would say you should not be able to use the endpoint from the front end. https://developer.okta.com/docs/api/resources/oidc#revoke Okta's API's are CORS enabled if they have a CORS logo beside the endpoint i.e.https://developer.okta.com/docs/api/resources/sessions#get-current-session – Sara Mar 10 '19 at 21:34

CORS - No 'Access-Control-Allow-Origin' when revoke token

1 Answers1