Hi,
Is it possible to limit number of concurrent active sessions per user in keycloak. Can someone help me out to achieve this ?
Thanks
Anish
Keycloak has not ootb feature for this.
I once implemented an “only one session per user” behavior with an EventListenerProvider. On every LOGIN event, I deleted all the sessions of an user, except the current one.
HTH, regards,
Niko
Thanks Niko, Let me try to implement it !
Hi Niko,
As suggested by you, i am able to remove active sessions associated to a user by capturing LOGIN event. But access token is not getting invalidated even after removal of session. Can you please help on this.
Thanks,
Anish
You can’t invalidate access tokens. Access tokens, once issued, are valid until their expiry timestamp. That’s the concept behind self-contained access tokens in JWT format, thus the term “self-contained” - you don’t need necessarily a 3rd party to validate and introspect the token.
With session invalidation, you can only achieve, that a user is not able to get a new/refreshed access token, once he (or the resource server) tries to refresh its access token with the refresh token.
Hi @dasniko
I also want to implement this feature in my keycloak. Can i know which Keycloak API did you use to deleting the sessions ?
I currently try with KeycloakSession in my SPI but it doesn’t work.
Hi,
I have implemented same in my project to limit concurrent sessions per user account, but here facing an issue when refreshing the page. Keycloak giving 400 response
{
“error”: “invalid_grant”,
“error_description”: “Code not valid”
}
Can you please help me for this
Thanks
Niraj
@dasniko I think recently they have provided the support for this feature but not sure how to implement this. I’m not able to find the User session count limiter feature option as mentioned here Kindly help
1 Like
@maradanasai I checked it Keycloak V20.0.1 and it works nice. Thanks for sharing this. you saved my life 
Hi there ! could you explain shortly how did you make it please ? I’m using keycloak 21.0.1. thanks !
What about the user session limiter in the authentication flows? Isn’t it made for that purpose? see also Server Administration Guide
- How does your post relate to this thread? Please never bomb different threads with your requests which cover other topics.
- Please never ask one person directly, always post you questions as brought as possible to the community with as much as possible details. This way, chances are high to get an answer.
Thanks for your understanding.
I apologize for the confusion and any inconvenience caused. I realize now that my post was not directly related to this thread, and I understand the importance of staying on topic. I am committed to following the community guidelines going forward and ensuring that my contributions are relevant and respectful. Thank you for bringing this to my attention, and I appreciate your understanding.