-
Notifications
You must be signed in to change notification settings - Fork 232
CORS error while longing out using authService.logout("/") #861
Comments
@mmoroppa Thanks for reporting the issue. In the |
@mmoroppa I failed to reproduce the issue with the custom-signin sample (https://github.com/okta/samples-js-react/tree/master/custom-login) with the dependencies provided in this issue. One suggestion I can think of is to clear the localStorage as stale data from other port may affect how the app works. |
We are having a similar issue but with Angular - POSTS to the /revoke endpoint, returns a 401 but the body is {"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."} |
@dougse |
I'm also experiencing a similar issue. It appears to be a regression -- this was working fine in 3.0.2. Looking in console it looks like the POST to https://{OKTADOMAIN}.okta-emea.com/oauth2/v1/revoke is returning a 403. Calling authService.logout("/") a second time seems to work. |
@andredigenova I cannot reproduce your issue with @okta/[email protected] and @okta/[email protected]. |
To correct here, revoke an invalid token will return 200 per https://developer.okta.com/docs/guides/revoke-tokens/overview/ |
I still have the CORS issue, Is there any specific configuration the auth server should have? |
@mmoroppa CORS issue may happen if you have an incorrect issuer, are you seeing the issue for logout only, or it also happens for login? |
@mmoroppa not sure if this comment help: #753 (comment) |
@shuowu It happens only on the logout. Regarding the comment you mentioned, I don't see what could be missing, because the client authentication is done on the same server when the user logs in. And if there is a miss configuration I'm guessing there should be a 40X answer instead of a CORS right? |
@mmoroppa Right, since CORS error is misleading in the SDKs sometime, just want to see if they are relevant. If you can reach out to our support team at [email protected] you can share details of your configuration and they can help us find out what is happening. |
@shuowu cleared localStorage, logged in and hit logout and issue persists. It calls revoke which returns a 403. Looking at the request, I don't see any scope information in the request. It only contains token_type_hint and token in the payload and an authorization header. If I call authService.logout a second time it behaves as expected but doesn't send a second revoke. It just clears local login state. |
@andredigenova Thanks for bringing this to our attention. We believe we have identified a flaw which is causing this CORS failure for token revoke. We are working on getting this issue fixed as quickly as possible. We will update this issue with further status as it becomes available. Thanks again. |
Internal ref: OKTA-323565 |
I faced this issue when I passed incorrect values into <Security, once I fixed that this issue resolved. |
Just an update -- I've tracked down my particular issue to problem on the client's network infrastructure that is causing the revoke request to become malformed. My issue is separate from the original poster's. Sorry for the red herring! |
Currently experiencing this in my application. On logout, I get the CORS error and the following error in my console:
|
It seems indeed a regression. I have a repository working fine with 3.1.4 and another failing with 3.2.3. |
@sseidel16 - We remain unable to duplicate this issue. Can you (using the network dev tool in your browser):
You can reach out to our support team at [email protected] if you want to be able to share details outside of a public forum. |
@swiftone just to let you know that we were also seeing exactly what @sseidel16 was seeing. We upgrade to 3.2.3 and see the CORS error without changing our implementation in any way. However, this morning, without making any changes, I am now able to successfully call |
@swiftone - The POST request does contain the correct auth header, but that never actually gets fired, because the preflight OPTIONS request (this request does not include the auth header since no preflight requests include it) does not come back with the proper response headers. @nryoung mine does not seem to be working.. Maybe I need to wait another day :P |
I think I found the root of my issue. The older version seems to be calling only GET /v1/logout, and never posting to /v1/revoke. The older version does not require adding anything to trusted origins to work, and I did not add all origins. The newer version making the POST seems to need to have it added to trusted origins. Once I add, it works fine. Is this expected behavior? @nryoung what do your trusted origins look like? |
Hello, I'm getting this issue too using From console I only see a first POST /oauth2/v1/revoke attemp directly blocked without any http status code plus
But just after a successful HTTP OPTIONS /oauth2/v1/revoke call in code 200. |
@ahmet2mir - Thanks for the question, can you clarify a few parts for me:
Which browser? usually "blocked" without a status code results from a browser trying multiple identical calls, in which case the browser interrupts the earlier call, but permits the final call to attempt. Are you seeing multiple calls to /oauth2/v1/revoke? If so, what is the result for each?
Are there any CORS headers (example: Access-control-allow-origin) in the headers of the response to that OPTIONS call? Lastly, do you have your domain (and port) listed in the Okta console with Trusted Origins, with the CORS box checked? See the guide that starts here: https://developer.okta.com/docs/guides/enable-cors/overview/ and click through to the following pages to see the steps to enable/confirm this setting. |
@ahmet2mir - one more follow-up: Are you using an Org auth server or a custom authorization server (/oauth2/default) as your issuer? It may be that using an org auth server encounters this problem. (Note the confusing name choice where a custom authorization server may be called "default") |
Damn, I completly missed this part, thank you @swiftone very much for your quick answer, it works! |
I ran into this too, and fixed it by adding to trusted origins. I was confused because I'd listed my domain for my app (as both callback and logout URLs), but hadn't updated the trusted origin. |
I get the CORS error if I manually trigger a POST /logout call using axios or fetch. However, if I trigger the /logout call via a form submit event, the CORS error does not show up. This seems to be because the form submit event bypasses CORS checks through some header attributes, but the same headers are not supported through Axios or Fetch. |
@priyath - fetch/axios will not send any cookies by default. For fetch() you will want to pass the option The CORS error is actually misleading - you are getting an error because of the missing cookie, and the error response from Okta doesn't include the CORS headers, so the browser shows a CORS error message. However, if you send the cookie, you don't get the error path on the Okta side, and the response will include the CORS headers, so the browser doesn't show the CORS error message, but CORS is not actually the problem. Telling fetch/axios to send the cookies (with the above option) should fix things for you. |
@swiftone Thank you for the response. Unfortunately, this did not work for me. I still get the cors on the browser's console when my client app requests the POST /logout endpoint registered by the OIDC middleware. The event sequence is similar to this:
However, if I trigger the POST logout call via a form submit event everything works as expected because the CORS check is bypassed due to the I have updated the trusted origins on the okta server with the correct URLs. For reference this is my initial axios call:
|
I'm submitting this issue for the package(s):
I'm submitting a:
Current behavior
After updating okta-auth-js from v3.1.1 to v3.2.3 I get the following CORS error when I try to logout using
authService.logout("/") or authService.logout("/")
Access to XMLHttpRequest at 'https://(host).oktapreview.com/oauth2/(server)/v1/revoke' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have no other CORS error while signing in or fetching the profile.
Expected behavior
I should be able to logout without CORS errors
Minimal reproduction of the problem with instructions
Just try to authService.logout("/")
Environment
node -v
): 12.17.0The text was updated successfully, but these errors were encountered: