Closed mooreds closed 2 months ago
robotdan
commented
3 years ago I don't know if I understand the use case of feature. Is this a FusionAuth UI feature, or an API for FusionAuth users to call?
Can we add a use case with a workflow to the problem description?
mooreds
commented
3 years ago @plunkettscott do you have any more context to add?
ishuvalov
commented
3 years ago @robotdan I think about very common use case: to display to user all sessions he initiated (logged in) from different devices/browsers. So he or she can decide which of them are legit and to invalidate/end suspicious ones. So it would be great to have at least API endpoints for such task. UI feature would be nice too.
robotdan
commented
3 years ago @ishuvalov The use case you describe can be accomplished from the API and the UI.
The only state that FusionAuth has is a refresh token. These tokens can be revoked using the Refresh Token API, in the UI by navigating to Users > Manage > Sessions.
https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens
ishuvalov
commented
3 years ago @robotdan Thank you! This is exactly what I mean.
andrewpai
commented
2 months ago Closing this issue, as we support revocation of individual application refresh tokens via the API (see comment).
Invalidating sessions on a per application basis
Problem
We don’t have a great way to invalidate other sessions right now. For example, if a user wants peace of mind by logging out all other sessions but their active one (or even individual sessions) there is no way for us to do that without tracking all of the access or refresh tokens which is not feasible to do.
Solution
Would be great to be able to invalidate each application sessions on user request. Would like an API so that we could build it into an application and let users choose to to this themselves.
Alternatives/workarounds
Right now this is possible with the logout endpoint, but that requires knowledge of the refresh or access tokens, both things that we won’t necessarily have access to depending on the app they are logging into (such as a 3rd party app we give OAuth access to integrate with us).
Additional context
Issue originally raised in an email by @plunkettscott
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.