So, does changing your password instantly lock out every web-app that I've connected to my Facebook account? Or merely the stupid ones that allow me to ask my Friends what their favorite flavor of ice cream is?
What's glossed over here is that this is only an issue if you're allowed the offline_access extended permission:
From the article:
By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.
Further, Facebook explicitly revokes tokens when you change your password.
If the user changes their password, the access token expires
or the user deauthorizes your app in the App Dashboard, the
Graph API will issue an HTTP 400 and return the error in the
body of the response:
As far as I know, an Oauth token should independent of one's password (that is, in fact, their purpose).
If there are Oauth tokens giving excess permission floating around, I assume the proper approach would be to remove permission from the your various apps and then give it to them again.
But what do I know? Well, other than Facebook's own documentation and Oauth documentation?
My understanding is that this was a bug with the previous authentication scheme, before they rolled out OAuth. Changing your password revokes old tokens for all authentication schemes and thus mitigates the problem.
