Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add informative text clarifying that servers may use complex logic to determine where to redirect to #4

Open
craigfrancis opened this issue Nov 14, 2018 · 4 comments
Open

Add informative text clarifying that servers may use complex logic to determine where to redirect to #4

craigfrancis opened this issue Nov 14, 2018 · 4 comments
Assignees
@rmondello
Labels
editorial The requested change is non-normative

Comments

@craigfrancis
Copy link

As this is to change a password for an existing account, and not for a forgotten password.

If the user is not currently logged on, I assume it's acceptable to redirect to the login page first, then on successful login, redirect to the change password form?
@junderw
Copy link

junderw commented Dec 8, 2018

This is a pretty big problem... Having a unified link is useless if there's no direction on login pages and redirects.

I think the goal of this proposal is to make it easier for password managers to implement "auto-change-password" type features for all sites instead of having to implement on a site-by-site basis where it might change.

If so, some things are missing:

  1. If user is not logged in and they access the URL, what should the server reply with? This should be specific: what response code? What should the id elements of the username and password be? What should the id of the form for submission be?
  2. What should the id attributes of the old password, new password, and new password repeat boxes be? What should be the id of the form be?

This should allow the goal of automation for password managers to succeed.

@leonklingele
Copy link

leonklingele commented Dec 8, 2018
edited
Loading

Why not simply require /.well-known/change-password to redirect to the login page including a redirect query param if the user is not logged in? For example, /.well-known/change-password would redirect to /login?redirect_url=/user/change-password which will in turn redirect to the Change password page on successful login.

If I understood the proposal correctly there is no need for a special response code. Password managers check for the existence of that well-known URL endpoint and if it does exist, open it in a browser. Auto-filling in the credentials when being redirected to a login page could then be done just as usual.

@hober hober added the editorial The requested change is non-normative label Dec 11, 2018
@hober
Copy link
Member

hober commented Dec 11, 2018

As with any other request a web server handles, the server is free to use whatever logic it wants to when determining where to redirect to. This spec doesn't need to make any additional normative statements for this; it's just inherent in how HTTP etc. work.

I'll add informative text clarifying this.

@hober hober self-assigned this Dec 11, 2018
@hober hober changed the title Confirming what happens with a login Add informative text clarifying that servers may use complex logic to determine where to redirect to Dec 11, 2018
@hober
Copy link
Member

hober commented Dec 11, 2018

Related Hacker News comments:

@hober hober mentioned this issue Dec 11, 2018
Closed
@hober hober assigned rmondello and unassigned hober Oct 15, 2019
@danieljrmay danieljrmay mentioned this issue May 4, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rmondello rmondello

Labels
editorial The requested change is non-normative
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hober @rmondello @craigfrancis @leonklingele @junderw