2:25 p.m.
Should changing a password invalidate current sessions, or at least the
refresh tokens? Or would a user have to change the password AND log out
current sessions to invalidate the current sessions and refresh tokens? To
me it seems like the latter is the current behavior, I just wanted to make
sure that it is desirable.
Thanks,
Alarik
2:34 a.m.
IMO the current behaviour is the correct and I can't see any reason to log out a user
after changing the password.
----- Original Message -----
From: "Alarik Myrin" <alarik(a)zwift.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 5 November, 2014 9:25:01 PM
Subject: [keycloak-user] Changing passwords and current sessions
Should changing a password invalidate current sessions, or at least the
refresh tokens? Or would a user have to change the password AND log out
current sessions to invalidate the current sessions and refresh tokens? To
me it seems like the latter is the current behavior, I just wanted to make
sure that it is desirable.
Thanks,
Alarik
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:46 a.m.
I feel like maybe this should be a realm setting.
Let's say I am a user who lost my smart phone or my laptop. I think to
myself -- I should probably go and change my passwords, which I do,
expecting that I am now protected. But it is a false sense of security,
because the old sessions remain valid until they time out in one way or
another. If your users are consumers (which mine are) and not enterprise
users, it is a lot to have to educate each of them on the idea that in
addition to changing their password they have to go in to the account
management application and log out their sessions.
On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
IMO the current behaviour is the correct and I can't see any
reason to log
out a user after changing the password.
----- Original Message -----
> From: "Alarik Myrin" <alarik(a)zwift.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 5 November, 2014 9:25:01 PM
> Subject: [keycloak-user] Changing passwords and current sessions
>
> Should changing a password invalidate current sessions, or at least the
> refresh tokens? Or would a user have to change the password AND log out
> current sessions to invalidate the current sessions and refresh tokens?
To
> me it seems like the latter is the current behavior, I just wanted to
make
> sure that it is desirable.
>
> Thanks,
>
> Alarik
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5:57 a.m.
Ah, that makes sense. I was only considering the session the user was changing the
password through.
You're absolutely right it makes perfect sense to log out the user. Can you create a
jira for please?
----- Original Message -----
From: "Alarik Myrin" <alarik(a)zwift.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 6 November, 2014 12:46:28 PM
Subject: Re: [keycloak-user] Changing passwords and current sessions
I feel like maybe this should be a realm setting.
Let's say I am a user who lost my smart phone or my laptop. I think to
myself -- I should probably go and change my passwords, which I do,
expecting that I am now protected. But it is a false sense of security,
because the old sessions remain valid until they time out in one way or
another. If your users are consumers (which mine are) and not enterprise
users, it is a lot to have to educate each of them on the idea that in
addition to changing their password they have to go in to the account
management application and log out their sessions.
On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
> IMO the current behaviour is the correct and I can't see any reason to log
> out a user after changing the password.
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik(a)zwift.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > Subject: [keycloak-user] Changing passwords and current sessions
> >
> > Should changing a password invalidate current sessions, or at least the
> > refresh tokens? Or would a user have to change the password AND log out
> > current sessions to invalidate the current sessions and refresh tokens?
> To
> > me it seems like the latter is the current behavior, I just wanted to
> make
> > sure that it is desirable.
> >
> > Thanks,
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
6:11 a.m.
Sure thing.
[KEYCLOAK-825] <https://issues.jboss.org/browse/KEYCLOAK-825>
On Thu, Nov 6, 2014 at 6:57 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
Ah, that makes sense. I was only considering the session the user
was
changing the password through.
You're absolutely right it makes perfect sense to log out the user. Can
you create a jira for please?
----- Original Message -----
> From: "Alarik Myrin" <alarik(a)zwift.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 6 November, 2014 12:46:28 PM
> Subject: Re: [keycloak-user] Changing passwords and current sessions
>
> I feel like maybe this should be a realm setting.
>
> Let's say I am a user who lost my smart phone or my laptop. I think to
> myself -- I should probably go and change my passwords, which I do,
> expecting that I am now protected. But it is a false sense of security,
> because the old sessions remain valid until they time out in one way or
> another. If your users are consumers (which mine are) and not enterprise
> users, it is a lot to have to educate each of them on the idea that in
> addition to changing their password they have to go in to the account
> management application and log out their sessions.
>
> On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>
> > IMO the current behaviour is the correct and I can't see any reason to
log
> > out a user after changing the password.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik(a)zwift.com>
> > > To: keycloak-user(a)lists.jboss.org
> > > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > > Subject: [keycloak-user] Changing passwords and current sessions
> > >
> > > Should changing a password invalidate current sessions, or at least
the
> > > refresh tokens? Or would a user have to change the password AND log
out
> > > current sessions to invalidate the current sessions and refresh
tokens?
> > To
> > > me it seems like the latter is the current behavior, I just wanted to
> > make
> > > sure that it is desirable.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
3456
days inactive
3457
days old
4 comments
2 participants
participants (2)
-
Alarik Myrin -
Stian Thorgersen