Hi. I have several first-party applications that interact with my API (e.g IOS app, Android app, Single page web App), and I also expose my API to third party applications. I want to implement the following feature:
Show all logged in devices (i.e. sessions for firsty-party applications) to the user with information about those devises such as Phone model, OS, Browser/Application name, IP address, last time it was used, etc. (Most often this information is shown on the same page as the “log out from all devices” button)
When first-party applications call my API, the backend only has the access token provided by the application, but this token lives a short period of time and I can’t associate that device information with the access token. A better alternative is to associate it with the refresh token since it’s permanent, but applications shouldn’t send refresh tokens to the API as I understand. Taking into account answer to my previous question I think it could be associated with the grand id that I use to delete a grant, but I don’t know how to get the grand id from the access token.
So how can I bound device info with the tokens provided by the auth0?
Link is to good. Information is correct.
Does any one know the solution? I still didn’t figure out have to implement it.
Hey @georgysavva apologies in the delay coming back to you.
As I said in the other thread, the mechanism for revoking refresh tokens in Auth0 is by deleting a grant.
A grant is a combination of:
- The application that requested the grant
- The user that granted the permission
- The target API (the audience of the token)
- The scopes (permissions) represented by the grant.
Every time your backend API receives an access token, you get all of the above:
- The user, in the
subclaim - The application that requested the grant, in the
azpclaim (authorized party) - The audience (the identifier of the API) in the
audclaim. - The scopes in the
scopeclaim
Your API could maintain a table of (sub, azp, aud, ip address, device) with “device” being whatever the app sends as a device identifier. This information then could be used to display the list of logged in devices.
Does that help?
Hi. Thanks for the answer. As I understand the combination of those fields (app, user, audience, scopes) doesn’t uniquely identify the access token. Let’s imagine the following situation:
User logged in on two his mobile phones (Phone 1 and Phone 2) using first-party IOS application and he using the backend API.
So he has two distinct access tokens per device. But fields that you listed will be the same:
- It’s the same user.
- It’s the same first-party IOS application
- The same backed API
- The same scope, since it’s a first-party application.
And now he is using the Phone 1 and wants to log out particularly the Phone 2. Or for example he wants to log out all sessions except the current one on the Phone 1.
In order to do that I need to add something to the table that you described that will uniquely identify the token. Do you understand that I mean?
Thanks a lot for helping me to figure that out!
Hi @georgysavva.
Note that you can invalidate refresh tokens, not access tokens. Access tokens will simply expire, and the app trying to use a refresh token to renew the access token will find that it’s no longer valid.
I understand what you mean, and unfortunately there are no built-in feature to help with this use case. You can only go to the “app” (client_id) level, but no different devices. This could be a great feature request for Auth0: Secure access for everyone. But not just anyone.
Thanks for the answer, now I get it. I will submit a feature request.