As part of the specification we have implemented the POST method of RP-Initiated Logout under #12228, and support for Keycloak JS was added under #25348. However, when the RP (client) is on a different origin than the OP (OpenID Provider) this method fails. The reason for this is that the POST endpoint does not set the Access-Control-Allow-Origin CORS header required for allowing these sorts of requests.

Steps to reproduce

I've set up a little project that I use for testing Keycloak and Keycloak JS in cross-origin scenarios which I will use for convenience of reproducing this issue. Follow the steps outlined in the README and then add logoutMethod: 'POST' to the options provided to the init() call to Keycloak JS in src/main.ts.

Proposed solution

When calling the POST endpoint the Access-Control-Allow-Origin header should be added to the response to allow cross-origin requests. Only valid web origins configured for the client should be allowed at any time. There is already existing code that could be re-used to accomplish this for the login status iframe, which need a similar check.