Hi, this is my first post.
At the company I’m working in, we are trying to design an auth scheme with auth0. I have pretty good understanding of OpenId Connect & OAuth2.0 standards and read almost all auth0 documentation.
We are trying to make our app single device (mobile phone or tablet) at same time. For example if the user is logged at device A and then logs in at device B, we want that device A’s session to be canceled. That means that the refresh token device A has shouldn’t be valid anymore. We’d also like to send a push notification to device A (but this is not so important).
I read several posts of people asking for single device allowed and the answer has been always to look into rules. I still don’t get how to achieve this just with rules. This is what I have thought of doing:
Create a rule that checks against a db if there is a previously created session (haven’t figured out how) for the user with other device and if that is the case call /oauth/revoke with the refresh token of that session (must be saved in my backend, nasty …). My question is that if I call to that revoke the doc says that all sessions for that user get revoked: even the one that is being created right now ? If yes this is obviously not a solution for me … since it would also be killing the one that called the rule, which is the one I want to succeed …
Could someone help me out ?