How authorized access works
Important: OAuth 1.0 2LO was entirely deprecated on October 20, 2016. The easiest way to migrate to the new standard is to use OAuth 2.0 service accounts with domain-wide delegation.
When your users install an app from the Google Workspace Marketplace, a page comes up asking them to agree to the terms of service of the application and to grant the application access to the data for their Google service. When the user grants access, it's recorded through a 3-legged OAuth access token. (For more details about how authorized access works with Google Workspace, see the diagram on how 3-legged OAuth works with G Suite.)
Once a 3-legged OAuth 2.0 token is revoked for an application (for a particular user), then the application cannot access that user's information until the user reinstalls this application and reauthorizes a 3-legged OAuth 2.0 token for that app. The Security page allows you to see all active 3-legged OAuth 2.0 tokens for a given user for a given application. The token listing and revocation is by user by app.
To increase account security for users of your Google service, OAuth 2.0 tokens issued for access to certain products are revoked when a user's password is changed.
Some applications that use the OAuth 2.0 authentication method to access certain products stop accessing data when a user's password is reset.
What's the difference between 2-legged OAuth and 3-legged OAuth?
Traditionally with Google, 2-legged OAuth is for administrator-managed applications, in that an administrator grants access to an application like Tripit to access data for the Google service for ALL users in their domain. Common data requested for access include: Groups Provisioning, User Provisioning, Calendar, and Contacts.
3-legged OAuth usually refers to user-managed applications, where a user in a domain can download individual apps from the G Suite Marketplace and install them with their managed Google account. However, the security section lets you see which 3rd-party applications your users have granted access to their Google data, and gives you the ability to revoke 3-legged OAuth 2.0 tokens.