We are experiencing something (I think) weird and we need to know how to solve this with Keycloak.
We have an application which stores the refresh token for users. These are offline tokens.
When one of these users resets his password, the refresh token stored into our application is still valid and still issues new access tokens, despite of the fact that the password has been reset.
Is it a security hole? If someone stoles the refresh token, he can still obtain the access token despite the reset of the password.
How can the user behave if he feels that his password (and refresh token) has been stolen?
Is there any Keycloak configuration to mitigate (or resolve) this problem?