I want to enforce a single user session feature for my Angular app because my customers share a single account with their coworkers.

The issue currently, with my implementation. is revoking a valid token stored a client's local storage, particularly a valid Refresh token.

The scenario is:

1. User 1 logs in with valid username and password, the bearer token will expire in an hour, the refresh token will expire in two weeks
2. User 2, uses the same username and password two hours later. User 2 is prompted that they are logged in on another device and asked the question of they would like to expire that session and start a new session.
3. User 2 says yes and the now User 1's session in invalid.

The problem is that User 1 still has a valid Refresh token.

I have no way revoke this refresh token. My Auth API will accept is valid and I will not know whether it is User 1 or User 2's refresh token.

Do I need to start storing refresh token values in my database to resolve this issue? I also thought I could use a different JwtAuthKeyBase64 for User1 and User2, as a way to invalidate User1's token but this doesn't seem like a good way to be using the ServiceStack JwtAuthProvider.

The JWT RefreshToken is used to contact the Auth Server to fetch a new JWT Bearer Token. It will only return a BearerToken if the User still has Access so you can lock the User Account by populating UserAuth.LockedDate which will prevent the user from retrieving a new JWT Bearer Token.

If you want more custom validation you can implement IUserSessionSource and throw an Exception in GetUserSession() to return an Error Response instead of the JWT Bearer Token.