Invalidating OAuth 2 access tokens when user change GitHub account password

Consider following scenario.

  1. A User (User-A) logs into GitHub and create an OAuth app under developer settings.
  2. Then User-A can initiate an OAuth2 Web token flow to acquire an access token for API access.
  3. Then User-A reset his Github account password from the GitHub Web UI.

In this case, User-A will be able to access GitHub APIs with the same token even after password reset.
I want to clarify whether this is the default behavior of GitHub to not to invalidate the OAuth access tokens acquired by using OAuth2 web flow after resetting account password?

:wave: @gbidsilva: I’ve asked our engineering team about this and will follow up once I have an update (though I can’t promise a time for when that will be).

@gbidsilva: Our engineers followed up and shared that when a user resets their password, that will invalidate any and all previously created OAuth access grants for that user. I hope this helps!

1 Like