While it’s somewhat possible to “block” the login, I believe that’s not the user experience you’d like to have. If that’s what you’re looking for, consider the situation in which user genuinely wishes to change the device, they’d have to contact you to reset their logged in devices list and access their account. If that’s what you’re looking for, let me know so I can share the solution. But, if you simply wish to log the user out from other devices, this doesn’t seem possible. I tried various things to try to get this to work, but there’s simply no way that I can think of to invalidate the previous token.
Here’s what I thought could work:
A user logs in → You trigger the
identity-login or any custom function → in the
app_metadata object of the user, you can set something like
login: 1, and once they login from somewhere else, you can simply increment it. I thought this would invalidate the previous JWT as the encoding now changed, however, the Identity Widget is “not notified” of this updated JWT. It continues to use the previous token as that successfully decodes too.
If this is what you wanted, I don’t actually see a point as, as long as the user has the password, they can simply login and invalidate the previous device and this will go on. So, if you really wish to block the login attempt entirely, let me know so I can walk you through it, but according to me, that’s a bad user experience. This is what keeps big OTT platforms from preventing users from sharing accounts too, I believe. They could block the login attempt, but that would increase the load on the support team to unblock genuine requests and if they invalidate the other device, the user can simply re-enter the password and this game would go on.