-
In the documentation of Oathkeeper, there is an example of a WebSocket page. This is furthermore connected to Kratos. This made me wonder whether it is possible to have only one valid session connected to the proxy. What I mean is that, for example, the user is connected to a socket via their account authenticated by a cookie. If this socket connection is still active and they try to connect to the same page from a different tab/window/device, Oathkeeper will deny this attempt. The configuration is not clear in what each attribute does, so I could have missed such an option. And while the guide is great and describes a topic that does not have to be there, I would appreciate hearing if there are more possibilities with sockets. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Hi @ShawnCZek Not unless you write some custom logic - sort of like a locking mechanism - which denies the number of "active" sessions a user is allowed to have. This could be done on your application layer since you can use the user id (which is unique) from the session cookie to manage this. But Oathkeeper only checks if the cookie is valid or not. You could most likely also wrap Kratos' |
Beta Was this translation helpful? Give feedback.
Hi @ShawnCZek
Not unless you write some custom logic - sort of like a locking mechanism - which denies the number of "active" sessions a user is allowed to have. This could be done on your application layer since you can use the user id (which is unique) from the session cookie to manage this. But Oathkeeper only checks if the cookie is valid or not.
You could most likely also wrap Kratos'
/sessions/whoami
in a small service which does this logic and tells Oathkeer to proceed or not.https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session