In an effort to further increase account security for Google Apps users, a recent change has been made to our security policy, whereby OAuth2 tokens issued for access to certain products will now be revoked when a user’s password is changed. For example, if a user loses their device, and changes their Google password, their mail and other data will stop syncing to that device when the password is reset.
Token revocation itself is not a new feature, as users have always had the ability to revoke access to applications in Security Checkup, and admins have always had this ability in the Google Apps Admin console. This change in our security policy will simply automate the token revocation process.
What products are impacted?
Any application or device sync functionality that uses the OAuth2 authentication method will stop accessing data upon password reset until a new OAuth2 token has been granted by the user by re-authenticating with their Google account username and password. This includes Gmail, Google Calendar, Google Apps Sync for Microsoft Outlook (GASMO), and applications that use certain Google APIs.
For a list of impacted data endpoints and scopes, and any known products that may not sync properly following the policy change, please check out the Help Center.
In the future, we plan to expand the list of Google products and scopes for which tokens will be revoked upon password change, and will provide more details as they become available.
How will this impact Google Apps users?
If you have a corporate policy that requires your end users to change their passwords periodically, we recommend letting them know that they will also have to re-authenticate on their mobile devices, or any applications that they may be using to access Google Apps.
All password changes, such as an end user changing a password, or an admin changing the password on behalf of the end user―or even using tools such as Google Apps Password Sync or other Directory API client applications―will result in OAuth2 tokens being revoked.
Note: Google have received questions from Apps customers on the implications of this policy change for which we’d like to provide thoughtful responses in advance of the full rollout. As a result, and given the approaching holiday season, they have decided to delay the full rollout of this policy change until early 2016.
Please monitor the launch release calendar for the new launch date and stay tuned for additional communication and answers to frequently asked questions.