What happened?
We have a web application using Node.js (backend) and React (frontend), and handling authentication via Azure AD and Pomerium (acting as reverse proxy + auth middleware).
Auth Flow Setup:
- Frontend uses React and calls backend APIs.
- Azure AD handles authentication.
- Pomerium is integrated to enforce auth via Azure AD and manage sessions.
- After successful login, Pomerium sets authentication cookies.
Problem:
When a user logs out, we:
- Clear the local session/token in our React/Node app.
- Redirect to /.pomerium/sign_out
However, the Pomerium authentication cookies remain valid, meaning:
- The user can still access APIs directly (via curl/postman) if they reuse the Pomerium cookie.
We tried triggering the frontchannel logout via:
https://<pomerium-domain>/.pomerium/sign_out
But it fails with an “invalid CSRF token” error, and the cookie persists.
What we’ve tried:
- Manually clearing localStorage/sessionStorage in React.
- Sending a GET/POST to Pomerium logout endpoint.
- Trying to include CSRF tokens (but not sure how to get them securely).
What did you expect to happen?
On logout Pomerium token cookies should be invalidated
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): v0.16.4 - Server Operating System/Architecture/Cloud: Azure
Questions:
- How can we completely log out a user, including clearing Pomerium cookies?
- What is the correct flow to call Pomerium’s logout endpoint? Do we need to include CSRF tokens from somewhere?
- Is there a recommended way to trigger logout across Azure AD, our app, and Pomerium to ensure sessions are invalidated across the board?
Any insights or working examples would be appreciated!
