Why does the refresh token for Office365 OAuth2 expire when the password is changed?

Question

Why does the refresh token for Office365 OAuth2 expire when the password is changed?

I am testing using OAuth2 for MS Office 365 to read calendar events and just read the following in this blog post

... the refresh token, while long life, becomes invalid at some point. For example, if the user changes their password, the refresh tokens become invalid.

From my experience with other OAuth2 providers, the refresh token shouldn't expire when users change their passwords (isn't that one of the main purposes of the token - to allow password access?).

Am I missing something? What is the reason for the expiration of refresh tokens when the password is changed?

+3

ms-office oauth-2.0 office365

Tzach 12 jan. 15 at 8:31

source to share

2 answers

Hans Z. · Answer 1 · 2015-01-12T08:36:46+0000

Password change can occur after password violation. Available and updatable tokens may have been issued in the time between the password violation and discovery, these tokens should be revoked and the password reset. To simplify the administration of this - the exact time of the violation can be very difficult to detect - all access rights have been revoked and must be explicitly reassigned by the Resource Owner.

Vilmantas Baranauskas · Answer 2 · 2015-01-12T08:39:38+0000

Usually, users don't change their passwords for no reason. One of the reasons is that the user might think that his password might have been leaked. In this case, it is unclear which of the refresh tokens (logins) are authentic and which belong to the hacker.

Why does the refresh token for Office365 OAuth2 expire when the password is changed?

More articles: