7

I am trying to invoke GSI Javascript google.accounts.oauth2.revoke method. Under the hood it sends a request to https://oauth2.googleapis.com/revoke. However there is CORS issue:

await new Promise(r => google.accounts.oauth2.revoke(token, r));

Access to XMLHttpRequest at 'https://oauth2.googleapis.com/revoke' from origin 'https://localhost:44397' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

These are CORS-related response headers:

  • access-control-allow-origin: https://localhost:44397

  • access-control-expose-headers: date,vary,vary,vary,content-encoding,server,content-length

All other functions are working well however. Is it a bug on Google's side or my code? If it's Google's where do I report it? If it's my issue, what did I do wrong?

Luke Vo
  • 17,859
  • 21
  • 105
  • 181
  • 1
    Experiencing the same issue. I added "localhost" to "Authorised JavaScript origins" for the oauth app – josias Apr 14 '22 at 07:51
  • 1
    I'm experiencing the same issue also. Even if I added "localhost" with the right port to the "Authorised JavaScript origins" for the oauth of the app, still doesn't work. – Rozar Fabien Apr 21 '22 at 16:03
  • 1
    Since there seem to be no official response from Google here, I submitted [an issue to Google here](https://github.com/google/google-api-javascript-client/issues/821). – Luke Vo Jun 24 '22 at 17:33
  • Same issue. But regardless, the user is logged out afterwards so not a huge concern – jloh Jul 30 '22 at 12:20
  • When user logs out he assumes that the credentials are revoked, so it is a real problem. Once users logs in again he is surprised that the app still has unexpected permissions. – Oded Sep 07 '22 at 00:22

1 Answers1

0

revoke() should now be working as intended, and expected with CORS.

bdid
  • 485
  • 2
  • 6
  • Can anyone confirm please? Sorry I am not with any project that uses GSI now so I can't confirm – Luke Vo Aug 26 '22 at 03:10
  • Still broken for myself – Oded Sep 07 '22 at 00:20
  • Can you share details of your setup: using http/https, localhost/FQDN. It would also be very helpful to include values of the Access-Control-* headers being used. – bdid Sep 08 '22 at 15:17