Open richard-313 opened 1 year ago
Hello, @s72817,
Have you tried using the device
parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?
Hi @dominic-ks thanks for your reply. I think devices are designed for parallel use:
"This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter device with the device identifier to associate the refresh token only with that device."
I think, the (only) possible way is, to immediately creating refresh token after login.
Hi @dominic-ks and @s72817 there is a way to block all tokens. This feature happens when user reset their password. The function that do this is private block_all_tokens( $user_id )
in Devices, but you can call the callback for password reset (it will call the block_all_tokens):
$user = get_user_by('id', 26 ); //get the user you want...
$devices = new \JWTAuth \Devices();
$devices->after_password_reset($user, '');
Hi, I want only one user can use the token. If the same user wants to connect on another device, he has to relogin on this new device. I thought, I can do it, by reset or remove all user related token, when user login?