Second login required when trying to sign_out an active session

What happened?

There is a second login required when calling the sign_out url on an active session.

What did you expect to happen?

Being able to sign out of an active session without having to log in for a second time.

How’d it happen?

My authenticate_service_url is “”.
I’m publishing a Web-App on “”.
cookie_domain is set to “”.Now if i log in to", the session is created correctly. However calling the frontchannel sign out url at “” requires my to log in via Google again before being able to log out.
Once i’ve logged in for the second time and confirm the logout prompt, all cookies are terminated correctly and i’m signed out for both “” and “”.
Is there a way to avoid the second login prior to being able to logout?

What’s your environment like?

  • Docker pomerium/pomerium:v0.17.3
  • Ubuntu Host

What’s your config.yaml?


# See detailed configuration settings :

# this is the domain the identity provider will callback after a user authenticates
default_upstream_timeout: 4000s
timeout_read: 1800s
timeout: 600s
idle_timeout: 4000s

  Cache-Control: no-cache

IDP_CLIENT_SECRET: bbbbbbbbbbbbbb
IDP_SERVICE_ACCOUNT: cccccccccccccc
jwt_claims_headers: "user,email"

cookie_domain: ""

signing_key: fffffffffffffff=
cookie_secret: ddddddddddddd

  - from:
    to: http://xxxxxx:8080

What did you see in the logs?

redacted log:

redacted chrome har: