[keycloak-user] Changing passwords and current sessions

Alarik Myrin alarik at zwift.com
Thu Nov 6 06:46:28 EST 2014

I feel like maybe this should be a realm setting.

Let's say I am a user who lost my smart phone or my laptop.  I think to
myself -- I should probably go and change my passwords, which I do,
expecting that I am now protected.  But it is a false sense of security,
because the old sessions remain valid until they time out in one way or
another.  If your users are consumers (which mine are) and not enterprise
users, it is a lot to have to educate each of them on the idea that in
addition to changing their password they have to go in to the account
management application and log out their sessions.

On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian at redhat.com> wrote:

> IMO the current behaviour is the correct and I can't see any reason to log
> out a user after changing the password.
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > Subject: [keycloak-user] Changing passwords and current sessions
> >
> > Should changing a password invalidate current sessions, or at least the
> > refresh tokens? Or would a user have to change the password AND log out
> > current sessions to invalidate the current sessions and refresh tokens?
> To
> > me it seems like the latter is the current behavior, I just wanted to
> make
> > sure that it is desirable.
> >
> > Thanks,
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141106/921581d8/attachment.html 

More information about the keycloak-user mailing list