Now Reading
Google will now revoke OAuth2 tokens for apps if you change your password

Google will now revoke OAuth2 tokens for apps if you change your password

by AshwinDecember 5, 2015


Google is rolling out a new security change, which will impact all its users.

Google Security Checkup

The Mountain View company is improving the account security of users, by revoking OAuth 2 tokens in certain scenarios.

For those of you who don’t know what an OAuth 2 token is, here is a brief explanation. Many websites and web services have an option to allow users to login to their servers, using their Google account.

What happens is you will be asked to login to your Google account, which in turn will prompt the service to request ermission for accessing some infrormation from your Google account. This is usually limited to your email address, name, birthday, but sometimes it may ask for more.

When you accept to use the service, you authorize it to use the profile information from your Google Account, hence the name OAuth. It is actually quite secure, in that you are not giving the service your password, and an added advantage is that you don’t have to fill up a signup form, which may take a few minutes.

Normally, you will only have to authorize a service once, and it will use its own OAuth token to remember your login information. This token status remains the same, even when you used to reset your Google Account password. In ordinary circumstances, this is acceptable, but what happens in case a device on which you used such a service gets stolen? Well you can manually revoke tokens too, but is there one single step to log you out of all apps?

This changes today, as Google has announced that, when a user resets his/her password, it will automatically revoke the OAuth 2 token of any website the user had approved earlier. If you have many apps authorized, this may be a problem, but otherwise we think this is an excellent step towards securing the account.

So now if a user loses their device, all they need to do to secure the account information, is a simple password reset. This will log them out of all apps using the login credentials. This includes the likes of Gmail, Google Calendar, Google Apps Sync for Microsoft Outlook, and more.

Google has not detailed upon the products which will have their tokens reset in the future, but it says the list of apps will be expanded, and that it will announce more details when that happens. The Mountain View company says this security change also affects Google Apps users.