Second login required when trying to sign_out an active session

What happened?

There is a second login required when calling the sign_out url on an active session.

What did you expect to happen?

Being able to sign out of an active session without having to log in for a second time.

How’d it happen?

My authenticate_service_url is “https://auth.eu.mydomain.com”.
I’m publishing a Web-App on “https://myapp.eu.mydomain.com”.
cookie_domain is set to “.eu.mydomain.com”.Now if i log in to https://myapp.eu.mydomain.com", the session is created correctly. However calling the frontchannel sign out url at “https://auth.eu.mydomain.com/.pomerium/sign_out” requires my to log in via Google again before being able to log out.
Once i’ve logged in for the second time and confirm the logout prompt, all cookies are terminated correctly and i’m signed out for both “https://auth.eu.mydomain.com/” and “https://myapp.eu.mydomain.com/”.
Is there a way to avoid the second login prior to being able to logout?

What’s your environment like?

  • Docker pomerium/pomerium:v0.17.3
  • Ubuntu Host

What’s your config.yaml?

config.yaml

# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://auth.eu.mydomain.com
authorize_service_url: http://127.0.0.1:5443
default_upstream_timeout: 4000s
timeout_read: 1800s
timeout: 600s
idle_timeout: 4000s

headers:
  Cache-Control: no-cache

IDP_PROVIDER: google
IDP_PROVIDER_URL: https://accounts.google.com
IDP_CLIENT_ID: aaaaaaaaaaaaaa.apps.googleusercontent.com
IDP_CLIENT_SECRET: bbbbbbbbbbbbbb
IDP_SERVICE_ACCOUNT: cccccccccccccc
jwt_claims_headers: "user,email"

cookie_domain: ".mydomain.com"

signing_key: fffffffffffffff=
cookie_secret: ddddddddddddd

# https://www.pomerium.io/configuration/#policy
policy:
  - from: https://myapp.mydomain.com
    to: http://xxxxxx:8080
    allowed_domains:
      - mydomain.com

What did you see in the logs?

redacted log:

redacted chrome har: