Hi Terence,
Great to hear these thoughts. What approaches do other OAuth providers take to this problem? Revoking all OAuth tokens on a password change/reset takes away a good chunk of the value that many people get from using OAuth.
Maybe making 'revoke all' an option for users after a password reset would improve the situation.