how do we control multiple device login?

rajasekhardi · 08-06-2020 03:33 AM

When a user tries to login from Device2 he would not be allowed to login automatically if he has already logged in from Device1

1. When a user tries to login from D2, D1 will get a popup asking him to accept that he is logging in from another device

2. If the user accepts on D1, he will be allowed to login via D2

3. If the user is not in proximity of D1 and cannot accept the popup message, admin can kill the session on D1 and his login in D2 will go through

Kindly let me know, how can I implement this functionality in Apigee

Report Inappropriate Content

the session configuration required like it will only allow one user for a particular account.

If that value can be stored and fetched during each login of the particular account, then can be checked if the session is true of false. If this is false it will allow login, if it is true then it will send a popup to the user screen to accept, if that is not accepted then can kill the session.

rajasekhardi

Hi Priyadarshi,

On successful login, I stored the user IP address and username using the attributes tag in OAuth2 policy like below

<Attributes>
        <Attribute name="ip_address" ref="proxy.client.ip" display="false"/>
        <Attribute name="username" ref="request.formparam.username" display="false"/>
    </Attributes>

But I am unable to retrieve these values after successfully verify the access token,

Kindly advise me on this

wipro-rdirisam

Hi Priyadarshi,

I few doubts on, where and how can I store the user details after login? and before login how can I validate with the existing user details? to restrict user login from multiple. Because the above solution is working with the access token. without having access token I unable to pull the information to verify. can I use KVM policy here to store user details, please suggest me

sachinmarkapura

So every login should have identifier like source IP/Device details(D1 or D2) or a sessionId. These values need to be persisted either in a service or in environment cache so when ever there is a new login attempt Apigee can validate persisted value before allowing new login attempt.

For Scenario 3 when Apigee has validated request for D2 login and allowed Identity service to initiate pop-up, a feedback/response needs to updated in the persisted value to allow user to try again and continue existing login.

rajasekhardi

Hi Sachin,

On successful login, I stored the user IP address and username using the attributes tag in OAuth2 policy like below

<Attributes>
        <Attribute name="ip_address" ref="proxy.client.ip" display="false"/>
        <Attribute name="username" ref="request.formparam.username" display="false"/>
    </Attributes>

But I am unable to retrieve these values after successfully verify the access token,

Kindly advise me on this

wipro-rdirisam

Hi Priyadarshi,

I few doubts on, where and how can I store the user details after login? and before login how can I validate with the existing user details? to restrict user login from multiple. Because the above solution is working with the access token. without having access token I unable to pull the information to verify. can I use KVM policy here to store user details, please suggest me

Report Inappropriate Content

Storing those information in Apigee will not be a good idea. It will make your application tight coupling with Apigee. You can have the logic at the service end.

sachinmarkapura

Hi Raja,

Since the display is set to false the value of attributes will not be included in the response when you verify token. Try setting display to true and use GetOAuthV2Info policy to get the custom attributes values in runtime or during response if Generate response is enabled.

Report Inappropriate Content

make display false to true and after verification access the attribute as

accesstoken.<attributename>

This will give you the attribute values.