Only one session for user

Hi all. I wanna that user can have on;y one session per one time. If he has a session on his pc and he logged in via phone - his pc session will be killed. How I can do that with keycloak?
I tried to do that on my nodejs app (logout user before his login) via post request to
/auth/master/users/:id/logout
this endpoint I took from official API and when I send a post request to it - 404 error with text
{
“error”: “RESTEASY003210: Could not find resource for full path: http://host/auth/master/users/fde70a3e-ef99-4cd8-9fef-b7b57dd3d237/logout
}
How I can do that? I don’t think that this problem wasn’t earlier

Just use the search function of this forum, it works!: Limit concurrent sessions per user account

1 Like

I saw this topic. But how I can invalidate refresh token?

@dasniko
In this api doc there is no endpoint for this and endpoint for logout didn’t work
https://www.keycloak.org/docs-api/5.0/rest-api/index.html
may be you can provide link with active API and in the best way - link to endpoint for invalidating of refresh token

You don’t need to invalidate the refresh_token. When you kill the session(s), a refresh_token for a killed session is useless, it won’t be able to refresh an access_token. Thus, killing a session is similar to revoke refresh_tokens.

@dasniko
okay, how i can kill session via API?
can u send me correct endpoint, 'cause for now i can see only endpoints which will send 404 as response

The API you’re looking for is the Keyloak SPI API, no REST API. There’s no endpoint you can call to kill sessions. As I already wrote in the other, above linked post, you’ll have to use a EventListenerProvider.
I put mine online here: https://github.com/dasniko/keycloak-session-restrictor
Please refer Keycloak docs on how to deploy SPIs and how to use event listeners.

1 Like