[keycloak-user] Changing passwords and current sessions

Alarik Myrin alarik at zwift.com
Thu Nov 6 07:11:50 EST 2014 

Sure thing.

[KEYCLOAK-825] <https://issues.jboss.org/browse/KEYCLOAK-825>

On Thu, Nov 6, 2014 at 6:57 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Ah, that makes sense. I was only considering the session the user was
> changing the password through.
>
> You're absolutely right it makes perfect sense to log out the user. Can
> you create a jira for please?
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 6 November, 2014 12:46:28 PM
> > Subject: Re: [keycloak-user] Changing passwords and current sessions
> >
> > I feel like maybe this should be a realm setting.
> >
> > Let's say I am a user who lost my smart phone or my laptop.  I think to
> > myself -- I should probably go and change my passwords, which I do,
> > expecting that I am now protected.  But it is a false sense of security,
> > because the old sessions remain valid until they time out in one way or
> > another.  If your users are consumers (which mine are) and not enterprise
> > users, it is a lot to have to educate each of them on the idea that in
> > addition to changing their password they have to go in to the account
> > management application and log out their sessions.
> >
> > On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > IMO the current behaviour is the correct and I can't see any reason to
> log
> > > out a user after changing the password.
> > >
> > > ----- Original Message -----
> > > > From: "Alarik Myrin" <alarik at zwift.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > > > Subject: [keycloak-user] Changing passwords and current sessions
> > > >
> > > > Should changing a password invalidate current sessions, or at least
> the
> > > > refresh tokens? Or would a user have to change the password AND log
> out
> > > > current sessions to invalidate the current sessions and refresh
> tokens?
> > > To
> > > > me it seems like the latter is the current behavior, I just wanted to
> > > make
> > > > sure that it is desirable.
> > > >
> > > > Thanks,
> > > >
> > > > Alarik
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141106/6927c800/attachment.html

More information about the keycloak-user mailing list