Restrict multiple devices for a user

Is there a way to restrict users to use only one device at a time? For example, if a user logs in on Device A and then attempts to log in on Device B, they should automatically be logged out from Device A.

I am using a microservices architecture and token-based authentication (specifically the passwordless grant type). Here’s what I am considering as a solution:

1. For every user request, decode the ID token to retrieve the session ID. Then, call the Auth0 endpoint to get the session ID and check if it exists. If the session ID is valid, grant permission for the request.

2. For every login attempt, check if there are any existing sessions for the user. If there are, delete all previous sessions while keeping only the new session active. I believe this can be achieved using Auth0 Actions.

please correct if I am wrong

Hi @thushalya

Welcome to the Auth0 by Okta Community!

Auth0 does not natively support limiting the number of sessions at the moment. I’ve checked internally and there is an existing backlog item to implement this feature.

However, the following information can help in your custom approach.

• The Management API provides access to attributes of the user sessions in the Auth0 Session Layer, which includes methods to terminate a session. See Manage User Sessions with Auth0 Management API for the endpoints in the Management API.

• There also exists a Management API endpoint to retrieve a user’s device credentials. See Auth0 Management API v2. This is based on the event.request.user-agent attribute from the Event Object. See Actions Triggers: post-login - Event Object.

Hope this helps!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.