We have multiple applications that have device flow enabled in our tenant. Is it possible to end a session after the device flow has been successfully completed for a certain application and so forcing any next attempt to go through login flow again?
We only want this behavior for specific applications, not all.
I’ve already looked into rules and actions to send the user to the logout endpoint, but in both cases the redirect happens before the actual device code is validated and this causes the device code to never get validated.
"error_description": "User has yet to authorize device code."
We also don’t want to force login on every device authorization attempt.
A example flow might look like this:
User authenticates with application A, after the flow the session remains active in their browser. When they again initialize the authorization flow for application A, the same session can be used. Now they start an authorization flow for application B, which will force them to login again, to allow them to use a different account. This is done by first sending the user to the login page (prompt=login) and then redirecting them to the device activation page. After this flow, the need to be logged out to ensure, that when they attempt to authenticate with application A, they will need to login again.