Google automates Apps OAuth token revocation

Tells devs: 'errors are a feature, not a bug'.

Google has refined the security controls available to enterprise Gmail users by automatically killing OAuth 2.0 tokens for Apps when users change passwords.

The changes will land on October 5th and will not affect users unless they change their password.

It is a watered down version of planned security changes offered in December 2015 under which password changes would kill synchronisation with a broader scope of Google's apps and services, something now thought to be too disruptive.

Google Apps executives Michael Winser and Wesley Chun says the revocation feature is already available as a manual option for users.

"Users have always been able to revoke access to applications in Security Checkup, and Google Apps admins have the ability to do the same in the Admin console," the pair say.

"In addition, tokens that were not used for extended periods of time have always been subject to expiration or revocation.

"This change in our security policy will likely increase the rate of revoked tokens that applications see, since in some cases the process will now take place automatically."

Reusing dead tokens will throw errors so Google has urged developers to ensure their applications can handle the changes.

"This change emphasises that token revocation should be considered a normal condition, not an error scenario," the Googlers say. "Your application should expect and detect the condition, and your UI should be optimised for restoring tokens." ®


Biting the hand that feeds IT © 1998–2017