I’m building a SPA, and I want to limit how many devices can be logged into a single account at any given time. This is a little trickier with JWTs than with cookies, but I think I have a plan that will work based on the Revoke Refresh Tokens reference doc. I’m sharing it here to get feedback and as a reference for anyone else trying to solve the same problem.
Plan
- Configure refresh tokens with a short lifetime such as 15 minutes so that revoked tokens affect the user relatively quickly
- On login, trigger an action which does the following:
Does anyone see any issues with this plan?
Hi @evan.johnston,
This solution sounds good to me. Thank you for sharing this with the Community!
Unfortunately, I haven’t been able to get this working because I can’t find a way to retrieve all of a user’s existing refresh tokens. The /api/v2/device-credentials
endpoint does not list refresh tokens issued in the SPA flow, and if there’s another endpoint that does, I haven’t been able to find it.
I haven’t been able to figure out an appropriate workaround so far.
- Revoking tokens pre-login using the
/oauth/revoke
endpoint won’t work without an existing refresh token. I don’t see a way to revoke tokens from previous sessions without also revoking the token for the current session.
- I thought revoking the application grant pre-login might work, but degrade UX by forcing the user to authorize a new grant on every login. Instead, the grants are auto-authorized (presumably because they’re first-party?), and the SPA is able to login again without the user re-entering their credentials. Because my goal is to deter users from sharing a single account, this doesn’t suit my needs.
- It seems possible that I could configure Auth0 to treat my SPA as a device such that its refresh tokens would accessible via
/api/v2/device-credentials
, but this seems like it might be a lot of work and I’m not confident I would be able to do it securely.
Am I missing something? Does anyone have any suggestions?