Increased Google Security
Posted: 02 Dec 2015 12:22 PM PST
Token revocation itself is not a new feature, as users have always had the ability to revoke access to applications in Security Checkup, and admins have always had this ability in the Google Apps Admin console. This change in our security policy will simply automate the token revocation process.
What products are impacted?
Any application or device sync functionality that uses the OAuth2 authentication method will stop accessing data upon password reset until a new OAuth2 token has been granted by the user by re-authenticating with their Google account username and password. This includes Gmail, Google Calendar, Google Apps Sync for Microsoft Outlook (GASMO), and applications that use certain Google APIs.
For a list of impacted data endpoints and scopes, and any known products that may not sync properly following the policy change, please check out the Help Center.
In the future, we plan to expand the list of Google products and scopes for which tokens will be revoked upon password change, and will provide more details as they become available.
How will this impact Google Apps users?
If you have a corporate policy that requires your end users to change their passwords periodically, we recommend letting them know that they will also have to re-authenticate on their mobile devices, or any applications that they may be using to access Google Apps.
All password changes, such as an end user changing a password, or an admin changing the password on behalf of the end user―or even using tools such as Google Apps Password Sync or other Directory API client applications―will result in OAuth2 tokens being revoked.
Policy change will impact apps/device syncing for both Rapid release and Scheduled release tracks for all password changes starting December 10, 2015