Automatic OAuth 2.0 token revocation upon password change
To increase account security for Google users, OAuth 2.0 tokens issued for access to certain products are automatically revoked when a user's password is changed. Third-party mail apps like Apple® Mail® and Mozilla® Thunderbird®―as well as other applications that use mail scopes to access a user’s mail―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authenticates with their Google account username and password.
Third-party mail applications on mobile are also included in this policy change. For example, users who use the native mail application on iOS will now have to re-authenticate with their Google account credentials when their password has been changed. This new behavior for third-party mail apps on mobile aligns with the current behavior with Gmail on iOS and Android, which also require re-authentication upon password reset.
The token revocation process does not include applications built on Apps Script, even if the script accesses mail.
Note: If the password change is triggered from an Android device, the OAuth token for the account sync used by this Android device is not revoked.
Currently, there is no impact. We will announce any changes to the treatment of App Passwords when they occur.
The tokens are revoked upon password change.
Yes, the password change invalidates access tokens as well as refresh tokens.
If this is done through the Directory API users update, and the same password is hashed via the same function, this will not be treated as a password change, and thus tokens should not get revoked.
Note: If you are using a hashing function that accepts a salt, make sure to use the same salt for every update. This ensures the update is not treated as a password change.
The Less secure apps setting will have no impact on tokens being revoked upon password change.