In an effort to further increase account security for Google Apps users, a recent change has been made to our security policy, whereby OAuth2 tokens issued for access to certain products will now be revoked when a user’s password is changed. For example, if a user loses their device, and changes their Google password, their mail and other data will stop syncing to that device when the password is reset.
Token revocation itself is not a new feature, as users have always had the ability to revoke access to applications in Security Checkup, and admins have always had this ability in the Google Apps Admin console. This change in our security policy will simply automate the token revocation process.
What products are impacted?
Some applications that use the OAuth2 authentication method will stop accessing data upon password reset until a new OAuth2 token has been granted by the user by re-authenticating with their Google account username and password. This includes Gmail, Google Calendar, Google Apps Sync for Microsoft Outlook (GASMO), and applications that use certain Google APIs.
For a list of impacted data endpoints and scopes, and any known products that may not sync properly following the policy change, please check out the Help Center.
In the future, we plan to expand the list of Google products and scopes for which tokens will be revoked upon password change, and will provide more details as they become available.
How will this impact Google Apps users?
If you have a corporate policy that requires your end users to change their passwords periodically, we recommend letting them know that they will also have to re-authenticate on their mobile devices, or any applications that they may be using to access Google Apps.
All password changes, such as an end user changing a password, or an admin changing the password on behalf of the end user―or even using tools such as Google Apps Password Sync or other Directory API client applications―will result in OAuth2 tokens being revoked.