From the information provided it seems the issue is that you’re trying to call the logout endpoint using XHR which would indeed be subject to CORS. Given that the server side implementation of your logout endpoint issues an HTTP redirect the browser, then as part of the XHR response handling the browser will try to follow the redirect and this ultimately leads to the CORS issue.
I’m afraid that the above is mostly expected as the logout endpoint expectations is that it will be called as part a regular top-level window navigation which would not be subject to CORS.
In other words, you should not call your own logout endpoint through XHR and instead perform a regular navigation to its URL. The response will then issue the redirect to Auth0, terminate the session and navigate back to your application (
returnTo parameter). In this flow you will not have any CORS issue because the way you perform the requests won’t be subject to the browser CORS policy.