Allow only one session per user source

We have use case where where we want only one session per user source. Here source can be our main app, some third parties as well.

Example -

  1. Consider the user login to our app dashboard from device1 and now he is login into our app dashboard from another device say device2, in this case we want the session of device1 to be invalidated. So at a time a user should have only one active session on our main app.

  2. User can also connect other apps with our app. We will authorise the user and provide the access token to the third party apps. So now we have authenticated the user and provided the access-token1 to to the third party say app1, now user again initiated the process and got the new access-token say accessToken2 for app1. So now we want to invalidate the access-token1.

So now the requirement is

  • User should have valid session for device2 and access-token2 generated for app1
  • Session for device1 and accesstoken1 should be invalidated.

I am not sure how to implement this using Keyclock.

Thanks in advance