Search
Clear search
Close search
Google apps
Main menu

Automatic OAuth 2.0 token revocation upon password change

To increase account security for Google users, OAuth 2.0 tokens issued for access to certain products are automatically revoked when a user's password is changed. Third-party mail apps like Apple® Mail® and Mozilla® Thunderbird®―as well as other applications that use mail scopes to access a user’s mail―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authenticates with their Google account username and password.

Third-party mail applications on mobile are also included in this policy change. For example, users who use the native mail application on iOS will now have to re-authenticate with their Google account credentials when their password has been changed. This new behavior for third-party mail apps on mobile aligns with the current behavior with Gmail on iOS and Android, which also require re-authentication upon password reset.

The token revocation process does not include applications built on Apps Script, even if the script accesses mail.

Note: If the password change is triggered from an Android device, the OAuth token for the account sync used by this Android device is not revoked.

Questions

How does this change impact applications using an App Password if 2-step verification is enabled?

Currently, there is no impact. We will announce any changes to the treatment of App Passwords when they occur.

Does a password change invalidate access tokens as well as refresh tokens?

Yes, the password change invalidates access tokens as well as refresh tokens.

We have a custom script that sets the same password for a user multiple times. Will this trigger token revocation?

If this is done through the Directory API users update, and the same password is hashed via the same function, this will not be treated as a password change, and thus tokens should not get revoked.

Note: If you are using a hashing function that accepts a salt, make sure to use the same salt for every update. This ensures the update is not treated as a password change.

How does this change impact the Less secure apps setting?

The Less secure apps setting will have no impact on tokens being revoked upon password change.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.