wso2 identity server : how to limit active session to one session only, and internally invalidate other active session

Question

I want to limit active users to one user, I'm using service provider OAuth 2.0. The solution provided in wso2 documentation doesn't fit my requirement, I don't want to show active sessions and let user terminate them manually, I want to terminate other active session for same user internally and let user login again.

Also not that I'm not using SAML, Im using simple service provider OAuth 2.0 with JWT as access token.

is it feasible to limit active sessions to one per user?

Thank you,

wso2 identity server: 5.9.0 docs: https://is.docs.wso2.com/en/latest/learn/limiting-active-user-sessions-based-on-criteria/#!

Answer 1

This can be achieved with adaptive scripts. getUserSessions function to get all the active sessions for the current user and then invoke terminateUserSession function for each of the existing sessions to terminate them.

Example script:

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function(context) {
            var user = context.currentKnownSubject;
            var sessions = getUserSessions(user);  
            if (sessions.length > 0) {
                for(var key in sessions) {
                    // Log.info("Terminating session: " + sessions[key].id);
                    terminateUserSession(user, sessions[key].id);
                }
            }
        }
    });
};

One catch would be that it will terminate the current session as well if you SSO into the same session later. Because currently it does not have a way to identify the current session and avoid terminating it. Ref.

More information can be found in the documentation.