Limit concurrent sessions per user account

Hi,

Is it possible to limit number of concurrent active sessions per user in keycloak. Can someone help me out to achieve this ?

Thanks
Anish

Keycloak has not ootb feature for this.

I once implemented an “only one session per user” behavior with an EventListenerProvider. On every LOGIN event, I deleted all the sessions of an user, except the current one.

HTH, regards,
Niko

Thanks Niko, Let me try to implement it !

Hi Niko,

As suggested by you, i am able to remove active sessions associated to a user by capturing LOGIN event. But access token is not getting invalidated even after removal of session. Can you please help on this.

Thanks,
Anish

You can’t invalidate access tokens. Access tokens, once issued, are valid until their expiry timestamp. That’s the concept behind self-contained access tokens in JWT format, thus the term “self-contained” - you don’t need necessarily a 3rd party to validate and introspect the token.

With session invalidation, you can only achieve, that a user is not able to get a new/refreshed access token, once he (or the resource server) tries to refresh its access token with the refresh token.

Hi @dasniko
I also want to implement this feature in my keycloak. Can i know which Keycloak API did you use to deleting the sessions ?
I currently try with KeycloakSession in my SPI but it doesn’t work.

Thanks @dasniko for your help.

Hi,
I have implemented same in my project to limit concurrent sessions per user account, but here facing an issue when refreshing the page. Keycloak giving 400 response
{
“error”: “invalid_grant”,
“error_description”: “Code not valid”
}
Can you please help me for this

Thanks
Niraj