Reputation: 635
how to close activated sessions and force user to re-enter his credentials in identity server 4?
One user can log in through multiple systems with various IP addresses, so is there any way to deactivate one of his sessions? (or all other sessions except the current logged in one) if yes, how? The thing I want to do is exactly like Telegram which you are able to close any of your activated sessions.
Upvotes: 1
Views: 759
Answers (1)
Reputation: 4869
The question is not new here, it appears a couple times a month in different interpretations, and the answer is still: there is no such feature out of the box, but there are a couple approaches:
The first one is to use Reference Token (instead of jwt by default), then look through the persisted grants database and logout all the sessions for the target userId.
The other approach is to implement your custom session store based on a database (instead of the cookie based by default). Then you again have access to all the clients logged in with the given user id. Here is my old (but still valid) example of a hybrid (cookie + IDistributedCache such as REDIS) extension for the DefaultUserSession. Here you have to be careful with access token lifetime (make it reasonably short), as a jwt once issued can not be invalidated before its normal expiration.
Upvotes: 2
Related Questions
- How to Logout user from a particular session Identity Server 4, .Net Core?
- Identity Server 4 Multi-tenancy logout
- Identity Server 4 : Proper logout from MVC Client
- IdentityServer4 Force User to re-enter credentials
- How to logout all clients from Identity Server?
- Identity Server 4 forced logout users
- IdentityServer4 logout
- Logout IdentityServer4 from .NET Core logs me back in
- Log user out of multiple IdentityServer clients
- ASP.Net Identity sign-out all sessions