When I logout the user in my application with Google IAP authentication by visiting the /_gcp_iap/clear_login_cookie the user is prompted to the Google account selection page, but if I open a new tab and visit my website, the user is still logged in.
Any chances I am missing something?
Clearing the cookie does not change the fact that the user is still logged into Google Accounts. When the user goes to your website again, opens a new tab, etc. the user is still authenticated with Google and therefore is still authenticated with Google IAP. When a user is authenticated with their Google Account, they are authenticated will all services that use that identity provider for authentication.
The solution is to logout the user from their Google Account, but this affects all sites/accounts and not just your site. This is a bit draconian for most users. Maybe a better choice is to not offer the ability to logout of your site since you do not control the authentication (login/logout) process.
Google has an issue tracker for this item: