For whoever looks at this, it sounds like an issue with oauth being cached either by sorcery or by google itself. IIRC, sorcery is only looking at the response from google, so if google doesn't realize a user changed their password and reset all their auth cookies, a user would be able to still login using the information from the last time they logged in. If sorcery uses similar cookies, that could also be the point of failure.

@athix any thoughts on reproducing/checking this?

@Ch4s3, I'm not sure if I'll have time to try this myself, but here's what I'd do to try and replicate:

1. Setup simple test app using Sorcery, and a google account to use for authentication.
2. Create account on test app using google credentials.
3. Verify the account works by logging in and back out at least 3 times. (Preferably each time on a different browser, perhaps chrome safari and firefox)
4. Go to your google account and change your password.
5. Attempt to log into test app. It should fail. If not, investigate console log.
   • Make sure to use a browser that you already logged into before with, if that succeeds then try a different browser, or incognito mode. (If it fails on another browser, then it's definitely a caching issue)