At the company I’m working in, we are trying to design an auth scheme with auth0. I have pretty good understanding of OpenId Connect & OAuth2.0 standards and read almost all auth0 documentation.
We are trying to make our app single device (mobile phone or tablet) at same time. For example if the user is logged at device A and then logs in at device B, we want that device A’s session to be canceled. That means that the refresh token device A has shouldn’t be valid anymore. We’d also like to send a push notification to device A (but this is not so important).
I read several posts of people asking for single device allowed and the answer has been always to look into rules. I still don’t get how to achieve this just with rules. This is what I have thought of doing:
Create a rule that checks against a db if there is a previously created session (haven’t figured out how) for the user with other device and if that is the case call /oauth/revoke with the refresh token of that session (must be saved in my backend, nasty …). My question is that if I call to that revoke the doc says that all sessions for that user get revoked: even the one that is being created right now ? If yes this is obviously not a solution for me … since it would also be killing the one that called the rule, which is the one I want to succeed …
Welcome and thank you for posting in Auth0 Community! @lucasgranade
To revoke access for the refresh_token after a user changes device, you can use a call to the Management API, this call would be made from your backend for example:
You need to delete the associated “device credentials” entity in Auth0. To do that, you’re going to want to first call the GET /api/v2/device-credentials, passing the associated user_id and client_id and a type param value of refresh_token. This will return probably just one device but perhaps multiple if, for example, you have both an iOS and an Android app. You’ll then want to enumerate the devices returned here and perform a DELETE /api/v2/device-credentials/{id} for each. This will remove the device and invalidate any associated refresh tokens.
I don’t want to second guess you or anything, this is me just trying to understand. It feels like those endpoints are related just to this auth flow: Device Authorization Flow which is when you are giving credentials to the device on behalf of the user, which is not what I’m doing. I might be wrong, just making sure.
what you’re looking for seems to be a session management API, which isn’t directly related to token or token revocation (as you pointed our correctly).
Auth0 doesn’t have a session management API yet, but it’s on the roadmap and should be available this year (no guarantees, no ETA I can give though). But as you noted from other forum posts, there’s a demand for it, and as such, the product team has it on its radar.
I have a similar requirement of terminating “old” sessions if the new login comes in from different device/browser.
Has this been fixed - session management API - or there is a work-around to that?