I’m testing various conditions with auth0, I notice that when I do multiple logins - login0, login1, login2 with the same username and password, the returned tokens - token0, token1, token2, all seem to be valid after the three logins are completed. I would assume that creation of token1 would invalidate token0, and creation of token2 would invalidate token1. Is this a setting somewhere, or is a logout required to invalidate a token?
Are you talking about access tokens? If so, they cannot be invalidated. They are designed to be verifiable in isolation, so there is no way to determine that another access token has been created.
Why would you assume only one session exists? I often have multiple sessions open to an app, one on my personal laptop, one on my work laptop, and one on my phone. All are valid.
say a router has been compromised, and tokens can be collected. they would sort of have the keys at a future point, wouldn’t they?
To address your point, facebook allows sessions to be terminated by device.