signOut revokeAccessToken endpoint returns a 403

[td-edge]

I've noticed that when I call signOut, that the revokeAccessToken function returns a 403. I do have a cookie in my POST header. I just tried calling the revoke method directly and it produces the same result. I'm running in Chrome with an Angular/Ionic project.

:authority: dev-<ACCOUNT>.oktapreview.com
:method: POST
:path: /oauth2/default/v1/revoke
:scheme: https
accept: application/json
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
authorization: Basic <AUTHORIZATION-TOKEN>
content-length: 879
content-type: application/x-www-form-urlencoded
cookie: <COOKIE>
sid=<SID>
referer: http://localhost:8100/login
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
x-okta-user-agent-extended: okta-auth-js/4.0.1

I am testing this on localhost, but I have CORS enabled within my Okta account. I can't seem to get this to resolve no matter what settings I adjust.

[shuowu]

@td-edge Thanks for reporting the issue! The same one has been tracked in okta/okta-oidc-js#861

[shuowu]

Tracked in okta/okta-oidc-js#861, Close this issue.