Changing password should not invalidate all tokens (optional)

[GoogleCodeExporter]

It should be noted that users should be able to change their passwords with 
Service Providers 
without invalidating existing tokens. Password management can be separate from 
token 
management.

Original issue reported on code.google.com by chris.messina on 17 Sep 2007 at 6:55

[GoogleCodeExporter]

I'd say "It's up to the service provider."  In our case (banking site), 
invalidating
all tokens might be right (I'm not sure, but I could imagine).  Likewise for 
medical
applications.

Original comment by marcprec...@gmail.com on 17 Sep 2007 at 7:03

[GoogleCodeExporter]

Maybe best to let the user decide.  But the password change form is a good 
place to
remind the user of any permissions they gave out.

Original comment by bslesinsky on 17 Sep 2007 at 4:03