Ah, that makes sense. I was only considering the session the user was changing the password through.
You're absolutely right it makes perfect sense to log out the user. Can you create a jira for please?
----- Original Message -----
> From: "Alarik Myrin" <email@example.com>
> To: "Stian Thorgersen" <firstname.lastname@example.org>
> Cc: email@example.com
> Sent: Thursday, 6 November, 2014 12:46:28 PM
> Subject: Re: [keycloak-user] Changing passwords and current sessions
> I feel like maybe this should be a realm setting.
> Let's say I am a user who lost my smart phone or my laptop. I think to
> myself -- I should probably go and change my passwords, which I do,
> expecting that I am now protected. But it is a false sense of security,
> because the old sessions remain valid until they time out in one way or
> another. If your users are consumers (which mine are) and not enterprise
> users, it is a lot to have to educate each of them on the idea that in
> addition to changing their password they have to go in to the account
> management application and log out their sessions.
> On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <firstname.lastname@example.org> wrote:
> > IMO the current behaviour is the correct and I can't see any reason to log
> > out a user after changing the password.
> > ----- Original Message -----
> > > From: "Alarik Myrin" <email@example.com>
> > > To: firstname.lastname@example.org
> > > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > > Subject: [keycloak-user] Changing passwords and current sessions
> > >
> > > Should changing a password invalidate current sessions, or at least the
> > > refresh tokens? Or would a user have to change the password AND log out
> > > current sessions to invalidate the current sessions and refresh tokens?
> > To
> > > me it seems like the latter is the current behavior, I just wanted to
> > make
> > > sure that it is desirable.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > email@example.com
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user