peterclink / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Changing password should not invalidate all tokens (optional) #1

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
It should be noted that users should be able to change their passwords with 
Service Providers 
without invalidating existing tokens. Password management can be separate from 
token 
management.

Original issue reported on code.google.com by chris.messina on 17 Sep 2007 at 6:55

GoogleCodeExporter commented 8 years ago
I'd say "It's up to the service provider."  In our case (banking site), 
invalidating
all tokens might be right (I'm not sure, but I could imagine).  Likewise for 
medical
applications.

Original comment by marcprec...@gmail.com on 17 Sep 2007 at 7:03

GoogleCodeExporter commented 8 years ago
Maybe best to let the user decide.  But the password change form is a good 
place to
remind the user of any permissions they gave out.

Original comment by bslesinsky on 17 Sep 2007 at 4:03