[keycloak-user] Changing passwords and current sessions

Stian Thorgersen stian at redhat.com
Thu Nov 6 06:57:03 EST 2014


Ah, that makes sense. I was only considering the session the user was changing the password through.

You're absolutely right it makes perfect sense to log out the user. Can you create a jira for please?

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 6 November, 2014 12:46:28 PM
> Subject: Re: [keycloak-user] Changing passwords and current sessions
> 
> I feel like maybe this should be a realm setting.
> 
> Let's say I am a user who lost my smart phone or my laptop.  I think to
> myself -- I should probably go and change my passwords, which I do,
> expecting that I am now protected.  But it is a false sense of security,
> because the old sessions remain valid until they time out in one way or
> another.  If your users are consumers (which mine are) and not enterprise
> users, it is a lot to have to educate each of them on the idea that in
> addition to changing their password they have to go in to the account
> management application and log out their sessions.
> 
> On Thu, Nov 6, 2014 at 3:34 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > IMO the current behaviour is the correct and I can't see any reason to log
> > out a user after changing the password.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik at zwift.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 5 November, 2014 9:25:01 PM
> > > Subject: [keycloak-user] Changing passwords and current sessions
> > >
> > > Should changing a password invalidate current sessions, or at least the
> > > refresh tokens? Or would a user have to change the password AND log out
> > > current sessions to invalidate the current sessions and refresh tokens?
> > To
> > > me it seems like the latter is the current behavior, I just wanted to
> > make
> > > sure that it is desirable.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


More information about the keycloak-user mailing list