<div dir="ltr">Sure thing.<div><br></div><div><a href="https://issues.jboss.org/browse/KEYCLOAK-825">[KEYCLOAK-825]</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 6:57 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ah, that makes sense. I was only considering the session the user was changing the password through.<br>
<br>
You're absolutely right it makes perfect sense to log out the user. Can you create a jira for please?<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Alarik Myrin" <<a href="mailto:alarik@zwift.com">alarik@zwift.com</a>><br>
</span><div class="HOEnZb"><div class="h5">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 6 November, 2014 12:46:28 PM<br>
> Subject: Re: [keycloak-user] Changing passwords and current sessions<br>
><br>
> I feel like maybe this should be a realm setting.<br>
><br>
> Let's say I am a user who lost my smart phone or my laptop. I think to<br>
> myself -- I should probably go and change my passwords, which I do,<br>
> expecting that I am now protected. But it is a false sense of security,<br>
> because the old sessions remain valid until they time out in one way or<br>
> another. If your users are consumers (which mine are) and not enterprise<br>
> users, it is a lot to have to educate each of them on the idea that in<br>
> addition to changing their password they have to go in to the account<br>
> management application and log out their sessions.<br>
><br>
> On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > IMO the current behaviour is the correct and I can't see any reason to log<br>
> > out a user after changing the password.<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Alarik Myrin" <<a href="mailto:alarik@zwift.com">alarik@zwift.com</a>><br>
> > > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Wednesday, 5 November, 2014 9:25:01 PM<br>
> > > Subject: [keycloak-user] Changing passwords and current sessions<br>
> > ><br>
> > > Should changing a password invalidate current sessions, or at least the<br>
> > > refresh tokens? Or would a user have to change the password AND log out<br>
> > > current sessions to invalidate the current sessions and refresh tokens?<br>
> > To<br>
> > > me it seems like the latter is the current behavior, I just wanted to<br>
> > make<br>
> > > sure that it is desirable.<br>
> > ><br>
> > > Thanks,<br>
> > ><br>
> > > Alarik<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>