On Thu, Nov 6, 2014 at 6:57 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
Ah, that makes sense. I was only considering the session the user
was
changing the password through.
You're absolutely right it makes perfect sense to log out the user. Can
you create a jira for please?
----- Original Message -----
> From: "Alarik Myrin" <alarik(a)zwift.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 6 November, 2014 12:46:28 PM
> Subject: Re: [keycloak-user] Changing passwords and current sessions
>
> I feel like maybe this should be a realm setting.
>
> Let's say I am a user who lost my smart phone or my laptop. I think to
> myself -- I should probably go and change my passwords, which I do,
> expecting that I am now protected. But it is a false sense of security,
> because the old sessions remain valid until they time out in one way or
> another. If your users are consumers (which mine are) and not enterprise
> users, it is a lot to have to educate each of them on the idea that in
> addition to changing their password they have to go in to the account
> management application and log out their sessions.
>
> On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>
> > IMO the current behaviour is the correct and I can't see any reason to
log
> > out a user after changing the password.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik(a)zwift.com>
> > > To: keycloak-user(a)lists.jboss.org
> > > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > > Subject: [keycloak-user] Changing passwords and current sessions
> > >
> > > Should changing a password invalidate current sessions, or at least
the
> > > refresh tokens? Or would a user have to change the password AND log
out
> > > current sessions to invalidate the current sessions and refresh
tokens?
> > To
> > > me it seems like the latter is the current behavior, I just wanted to
> > make
> > > sure that it is desirable.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>