[keycloak-user] Changing password & existing sessions (via forgot password email)
Adrian Verhagen
adrian.verhagen at gmail.com
Thu Jan 19 10:30:04 EST 2017
It appears that refresh tokens are not expired when the password is reset
via the password reset email. This seems to work when resetting the
password from the account self-maintenance console, but not the recovery
email.
I'm imagining a case where, if I've been told by an administrator to reset
my password (because the account/password was compromised) and I have not
used the service in some time and so change my password using the "Forgot
Password" email, I would assume my password has been changed and my account
now secured. I wouldn't know that I needed to change it again from the
self-maintenance console in order to clear out logged in sessions.
I'm wondering what everyone else thinks about this.
More information about the keycloak-user
mailing list