Is there a way to restrict users to use only one device at a time? For example, if a user logs in on Device A and then attempts to log in on Device B, they should automatically be logged out from Device A.
I am using a microservices architecture and token-based authentication (specifically the passwordless grant type). Here’s what I am considering as a solution:
-
For every user request, decode the ID token to retrieve the session ID. Then, call the Auth0 endpoint to get the session ID and check if it exists. If the session ID is valid, grant permission for the request.
-
For every login attempt, check if there are any existing sessions for the user. If there are, delete all previous sessions while keeping only the new session active. I believe this can be achieved using Auth0 Actions.
please correct if I am wrong