As of October 5, automatic OAuth 2.0 token revocation upon password reset

Pierluigi Paganini September 23, 2016

Google announced a change to its security policy to increase the account security that includes the OAuth 2.0 token revocation upon password reset.

Google has finally announced a new OAuth 2.0 token revocation according to its security policy, the company will roll out the change starting on Oct. 5.

The change to the Google security policy was announced last year by Google, the company explained that OAuth 2.0 tokens would be revoked when a user’s password was changed.

Google decided not to move forward with this change for Apps customers and began working on a more admin-friendly approach.

The company has implemented the OAuth 2.0 authentication protocol in 2012 with the intent of boosting the security of its services like Gmail and Google Talk.

Google aims to improve users’ security limiting the impact on the usability of its application, at least in this first phase so although initially planned for a wider set of applications, the OAuth 2.0 token revocation rule will be limited to the email mail service.

Google confirmed that the App Script tokens and apps installed via the Google Apps Marketplace are not subject to the token revocation.

“To achieve the security benefits of this policy change with minimal admin confusion and end-user disruption, we’ve decided to initially limit the change to mail scopes only, and to exclude Apps Script tokens. Apps installed via the Google Apps Marketplace are also not subject to the token revocation.” reads the Google announcement. “Once this change is in effect, third-party mail apps like Apple Mail and Thunderbird―as well as other applications that use multiple scopes that include at least one mail scope―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authorizes with their Google account username and password.”

google-oauth2-0

After the change will be effective, third-party mail applications that include at least one mail scope will no longer sync data when the user password is reset. The data syncing will start again after a new OAuth 2.0 token has been granted.

The change will impact also mobile users, it will affect for example mail applications. The Apple iOS users who use the mail application included in the mobile OS will have to re-authorize it with their Google account credentials when they change their password.

This is nothing new for Gmail apps on both iOS and Android the already require to grant a new OAuth 2.0 token upon password reset, but Google will enforce the change also to third-party apps.

For further information on the new OAuth 2.0 token revocation rule give a look at the post published by Google that includes also a list of FAQ

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OAuth 2.0, security policy)



you might also like

leave a comment