CORS issue while logging out from OAuth2/OIDC provider configured in Spring

[tamasmak]

Describe the bug

A CORS issue happens in the preflight request when using a fetch request while logging out from OAuth2/OIDC provider configured in Spring.
An example of the issue:

Access to fetch at 'https://keycloak.local.com/realms/test-app/protocol/openid-connect/logout?id_token_hint=...&post_logout_redirect_uri=https://vaadinapp'
(redirected from 'https://vaadinapp/logout') from origin 'https://vaadinapp/' has been blocked by CORS policy: Request header field x-csrf-token is not allowed by Access-Control-Allow-Headers in preflight response.

1. Hilla’s Authentication.logout method triggers a fetch request to /logout (Spring’s default logout handler) setting Spring’s CRSF token
2. Spring’s /logout handler redirects to the provider's RP-Initiated logout endpoint (different host) and the preflight request fails since the custom x-csrf-token header is not allowed by the provider.

Expected-behavior

The application should be redirected to the expected logout success URI without issues.
Could the fetch request handle the redirect and redirect the user to the provider's RP-Initiated logout endpoint?

Reproduction

1. Setup an OAuth2/OIDC provider for authentication for a Hilla application (e.g. using Keycloak)
2. Use the logout() method to logout the user

import { useAuth } from './auth';
const { logout } = useAuth();
<Button onClick={async () => logout()}>Sign out</Button>

System Info

Hilla 24.5.0

[platosha]

The default logout() implementation is specific to Spring Security form login. In OIDC provider case, it does not work.

What we need for the logout button is a navigation to the provider's logout page.

[platosha]

We could make logout always make a form-submitting HTML navigation to the specified URL instead of fetch. Full page reload is needed anyway.