Hi Terence,

Great to hear these thoughts. What approaches do other OAuth providers take to this problem? Revoking all OAuth tokens on a password change/reset takes away a good chunk of the value that many people get from using OAuth.

Maybe making 'revoke all' an option for users after a password reset would improve the situation.