Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add informative text clarifying that servers may use complex logic to determine where to redirect to #4

Open
craigfrancis opened this issue Nov 14, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@craigfrancis
Copy link

commented Nov 14, 2018

As this is to change a password for an existing account, and not for a forgotten password.

If the user is not currently logged on, I assume it's acceptable to redirect to the login page first, then on successful login, redirect to the change password form?

@junderw

This comment has been minimized.

Copy link

commented Dec 8, 2018

This is a pretty big problem... Having a unified link is useless if there's no direction on login pages and redirects.

I think the goal of this proposal is to make it easier for password managers to implement "auto-change-password" type features for all sites instead of having to implement on a site-by-site basis where it might change.

If so, some things are missing:

  1. If user is not logged in and they access the URL, what should the server reply with? This should be specific: what response code? What should the id elements of the username and password be? What should the id of the form for submission be?
  2. What should the id attributes of the old password, new password, and new password repeat boxes be? What should be the id of the form be?

This should allow the goal of automation for password managers to succeed.

@leonklingele

This comment has been minimized.

Copy link

commented Dec 8, 2018

Why not simply require /.well-known/change-password to redirect to the login page including a redirect query param if the user is not logged in? For example, /.well-known/change-password would redirect to /login?redirect_url=/user/change-password which will in turn redirect to the Change password page on successful login.

If I understood the proposal correctly there is no need for a special response code. Password managers check for the existence of that well-known URL endpoint and if it does exist, open it in a browser. Auto-filling in the credentials when being redirected to a login page could then be done just as usual.

@hober hober added the editorial label Dec 11, 2018

@hober

This comment has been minimized.

Copy link
Collaborator

commented Dec 11, 2018

As with any other request a web server handles, the server is free to use whatever logic it wants to when determining where to redirect to. This spec doesn't need to make any additional normative statements for this; it's just inherent in how HTTP etc. work.

I'll add informative text clarifying this.

@hober hober self-assigned this Dec 11, 2018

@hober hober changed the title Confirming what happens with a login Add informative text clarifying that servers may use complex logic to determine where to redirect to Dec 11, 2018

@hober

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.