dominic-ks
commented
1 year ago Hello, @s72817,
Have you tried using the device parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?
Open s72817 opened 1 year ago
dominic-ks
commented
1 year ago Hello, @s72817,
Have you tried using the device parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?
s72817
commented
1 year ago Hi @dominic-ks thanks for your reply. I think devices are designed for parallel use:
"This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter device with the device identifier to associate the refresh token only with that device."
I think, the (only) possible way is, to immediately creating refresh token after login.
pesseba
commented
1 year ago Hi @dominic-ks and @s72817 there is a way to block all tokens. This feature happens when user reset their password. The function that do this is private block_all_tokens( $user_id ) in Devices, but you can call the callback for password reset (it will call the block_all_tokens):
$user = get_user_by('id', 26 ); //get the user you want...
$devices = new \JWTAuth \Devices();
$devices->after_password_reset($user, '');
Hi, I want only one user can use the token. If the same user wants to connect on another device, he has to relogin on this new device. I thought, I can do it, by reset or remove all user related token, when user login?