If SSO is not enabled: Tokens will not be revoked, but if the user tries to refresh them while the password reset is required the error below will be thrown.
{ “error”: “password_reset_required”, “error_description”: “User needs to reset password” }
If SSO is enabled: Tokens will not be revoked, but if the user tries to refresh them while the password reset is required the error below will be thrown. You will receive an error whether you try to login with your Box password or with SSO credentials.
{ “error”: “password_reset_required”, “error_description”: “User needs to reset password” }
If SSO is required: Tokens will not be revoked. Users will be allowed to refresh tokens without issue. This is because Box has no way of knowing whether a user's SSO password is expired or not. The only way to stop this is to manually revoke the tokens or make the user “inactive”.
platform_swarm_kb