It's at the intersection of security and user experience. Changing your password because you think it's been compromised is a different use case from changing your password because you've been using it for years or forgotten it.
At the risk of encouraging Yet Another Warning, would displaying a notice after changing passwords that sites are still authorized be a solution? I'd say that it should have links to more info and to the Connections page, but I despair of users giving up at any sign of warnings.
As looking at the issues with that infamous little "lock" icon to indicate HTTPS shows, security and UX intersections are always difficult.
Possibly display a list of recently authorised sites (and when they were authorised), and make it easy to revoke them without going to another page.
It's difficult because people don't expect another step after they've changed their password, and (I'd guess) wouldn't immediately understand the need for it.
Perhaps the answer is Yet Another Configuration Setting: the default option revokes all site authorisations when you change your password; the alternate option allows (but forces) you to think about it.
Many people cannot understand the difference between a browser and an OS or the difference between Firefox and IE. How can we expect them to manage their OAuth tokens? When OAuth was first writtes many SITES did not even have it implemented correctly (Myspace is a notable example.)
In general, having the average naive user administer any aspect of security beyond choosing a "secure" password is a naive expectation. You can't afford to have both parties acting naively when it comes to Internet security. For this (non-naive) audience, managing OAuth tokens makes sense and Twitter can afford to be naive. For the rest of the Internet audience this approach is probably more dangerous than convenient.
What approaches do other OAuth providers take to this problem? Revoking all OAuth tokens on a password change/reset takes away a good chunk of the value that many people get from using OAuth.
Every OAuth site has a "log in with Twitter" feature, correct? Maybe Twitter could organize things such that, when you change your password, you're automatically logged out of every OAuth site?
Agreed, but would it be difficult to have a checkbox marked "revoke all permissions to use my account from all applications" to the reset password menu?
Along the same lines, if you build a twitter app that uses Oauth and change the access from read to read/write the oauth tokens never change and won't work if you try to do a write operation. Even if you log out and log back in manually. More problematic the error is '401 - Unauthorized', blah.
The work around recommended by Twitter? Register a new twitter app that is read/write from the get go. :(
I guess I don't quite follow the logic here, though I'm not advanced in the ways of the web yet.
When you connect to a site with OAth, doesn't it require that you a) sign in using Twitter or b) are already signed in using Twitter? I would think this is necessary, otherwise people with multiple Twitter accounts, each of which use the same OAuth site, would end up with a lot of confusion.
So given this, Eva would have to a) sign in to Alice's Twitter account, which she can't do because Alice changed her password, or b) continue to be signed into Alice's Twitter account, while Alice changes her password, which would also be a security compromise of Twitter in general, no need to get into OAuth at that point.
