Automatic OAuth 2.0 token revocation upon password change

To increase account security for Google users, OAuth 2.0 tokens issued for access to certain products are automatically revoked when a user's password is changed. Third-party mail apps like Apple Mail and Mozilla Thunderbird―as well as other applications that use mail scopes to access a user’s mail―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authenticates with their Google account username and password.

Third-party mail applications on mobile are also included in this policy change. For example, users who use the native mail application on iOS will now have to re-authenticate with their Google account credentials when their password has been changed. This new behavior for third-party mail apps on mobile aligns with the current behavior with Gmail on iOS and Android, which also require re-authentication upon password reset.

The token revocation process does not include applications built on Apps Script, even if the script accesses mail.

Notes:

  • If the password change is triggered from an Android device, the OAuth token for the account sync used by this Android device is not revoked.
  • Gmail IMAP sessions authenticated using OAuth aren't affected by a password change, but are limited to the validity period of the access token (usually 1 hour).

Questions

How does this change impact applications using an App Password if 2-step verification is enabled?

Currently, there is no impact. We will announce any changes to the treatment of App Passwords when they occur.

Does a password change invalidate access tokens as well as refresh tokens?

Yes, the password change invalidates access tokens as well as refresh tokens.

We have a custom script that sets the same password for a user multiple times. Will this trigger token revocation?

If this is done through the Directory API users update, and the same password is hashed via the same function, this will not be treated as a password change, and thus tokens should not get revoked.

Note: If you are using a hashing function that accepts a salt, make sure to use the same salt for every update. This ensures the update is not treated as a password change.

How does this change impact the Less secure apps setting?

The Less secure apps setting will have no impact on tokens being revoked upon password change.

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
2819348878480498079
true
Search Help Center
true
true
true
true
true
73010
false
false