[keycloak-user] Changing password & existing sessions (via forgot password email)

[Adrian Verhagen]

It appears that refresh tokens are not expired when the password is reset
via the password reset email. This seems to work when resetting the
password from the account self-maintenance console, but not the recovery
email.

I'm imagining a case where, if I've been told by an administrator to reset
my password (because the account/password was compromised) and I have not
used the service in some time and so change my password using the "Forgot
Password" email, I would assume my password has been changed and my account
now secured. I wouldn't know that I needed to change it again from the
self-maintenance console in order to clear out logged in sessions.

I'm wondering what everyone else thinks about this.