It appears that refresh tokens are not expired when the password is reset via the password reset email. This seems to work when resetting the password from the account self-maintenance console, but not the recovery email. I'm imagining a case where, if I've been told by an administrator to reset my password (because the account/password was compromised) and I have not used the service in some time and so change my password using the "Forgot Password" email, I would assume my password has been changed and my account now secured. I wouldn't know that I needed to change it again from the self-maintenance console in order to clear out logged in sessions. I'm wondering what everyone else thinks about this.