Reset Password does not logout all sessions

[olivierboudet]

Describe the bug

All the sessions of a user are not closed when using "forgot credentials" page.

Version

15.0.2

Expected behavior

When a user is using multiple device (a PC and a mobile device for example) and is logged in on each, if he resets his password on the PC, I expect it to be logged out on all his devices. So it should be loggout out on his mobile device also.

Actual behavior

When a user changes its password in the account page, all sessions are logged out. IMHO this is expected.
When a user changes its password with the "forgot password" page, opened sessions are not closed.

How to Reproduce?

• log in to keycloak on a browser (example: firefox)
• log in to keycloak with same user on another browser (example: chromium)
• in keycloak admin console, we can see two sessions for this user
• in a third browser (or a private tab), go to /auth/realms/{realm}/login-actions/reset-credentials page and reset the password
• in keycloak admin console, we can see old sessions for this user are not closed

Anything else?

No response

[stianst]

Changing this to a discussion as this is not a bug and is by design.

Recover password is used in scenarios when a user has forgotten the password, as such should not invalidate other sessions. In fact that is pretty common practice.

If a user suspect the account has been compromised they will update the credentials through the account console, which gives the option to logout existing sessions.

[olivierboudet]

Yes I understand your point of view.

However I have another case in mind : imagine some of user accounts have been hacked/pawned.
The hacker may have modified some passwords, but he was not able to modify the email because we have disabled "Edit username" option and we have "Email as username" enabled.

If we recommend these users to do a "forgot credentials" to reset their password and recover their account by themselves, then the hacker still has access to the account until session expires.

PS : imagine that users do not use the keycloak account page so we can not tell them to do a "logout all session" manually (and this is not very user friendly to tell them to do that :) )

[stianst]

If an admin believes a users account has been compromised then the admin should clearly reset the password, as well as clear all the sessions.

[stianst]

It may make sense to add an option on the update password screen that allows logout of other sessions, that should actually be fairly simple to do as the update password action is also what drives the update from the account console, so believe the functionality is already there, probably just hidden if not initiated as a AIA.

[olivierboudet]

Yes I think it is a good option. I am open to send a PR for this if you want.