Thank you for this wonderful deep dive! Saved us hours of debugging.
For fellow debuggers, it’s worth noting that things have changed a bit since this post, and as of October 2016, this issue also affects some Google Apps users:
“Today, we’re announcing that in order to better protect users, we are increasing account security for enterprise Gmail users effective October 5, 2016. At this time, a new policy will take effect whereby users in a Google Apps domain, while changing their passwords on or after this date, will result in the revocation of the OAuth 2.0 tokens of apps that access their mailboxes using Gmail-based authorization scopes.”
So Google Apps users are no longer immune from password changes triggering revocation of OAuth tokens (at least when those tokens have Gmail-based scopes).