Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/w3c/webappsec-change-password-url

A Well-Known URL for Changing Passwords
https://github.com/w3c/webappsec-change-password-url

Last synced: 4 days ago
JSON representation

A Well-Known URL for Changing Passwords

Host: GitHub
URL: https://github.com/w3c/webappsec-change-password-url
Owner: w3c
License: other
Created: 2018-11-13T21:05:15.000Z (about 6 years ago)
Default Branch: main
Last Pushed: 2024-06-03T20:15:47.000Z (8 months ago)
Last Synced: 2025-01-08T01:15:26.019Z (11 days ago)
Language: Bikeshed
Homepage: https://w3c.github.io/webappsec-change-password-url/
Size: 89.8 KB
Stars: 900
Watchers: 25
Forks: 27
Open Issues: 16
Metadata Files:
- Readme: README.md
- Changelog: change-password-url.bs
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-github-star - webappsec-change-password-url - Known URL for Changing Passwords | w3c | 882 | (Bikeshed)

README

# A Well-Known URL for Changing Passwords

## Table of Contents

- [Proposal](#proposal)
- [Frequently Asked Questions](#frequently-asked-questions)
- [Why not allow sites to override this location with an HTTP Link header or an HTML `link` element?](#why-not-allow-sites-to-override-this-location-with-an-http-link-header-or-an-html-link-element)
- [Why not serve a JSON resource with links to other account management functions?](#why-not-serve-a-json-resource-with-links-to-other-account-management-functions)
- [What tools have implemented this feature?](#what-tools-have-implemented-this-feature)
- [What about servers whose HTTP response codes are unreliable?](#what-about-servers-whose-http-response-codes-are-unreliable)

Currently, if the user of a password manager would like to change their password on `example.com`, basically all the password manager can do is load `example.com` in a browser tab and hope the user can figure out how to update their password themselves.

The goal of this [specification](https://w3c.github.io/webappsec-change-password-url/) is to do the simplest possible thing to improve this situation, by defining the /.well-known/change-password [well-known resource](https://tools.ietf.org/html/rfc5785).

## Proposal

`example.com` provides a `/.well-known/change-password` resource which redirects to their change password form, wherever it happens to already be.

Password managers check for the existence of `/.well-known/change-password` on `https://example.com`.

If it's there (the response code is `2xx` or `3xx`), the password manager can cause the user's browser to navigate there when the user indicates they'd like to change their password.

That's it, really. It's a pretty simple idea.

## Frequently Asked Questions

### Why not allow sites to override this location with an HTTP Link header or an HTML `link` element?

Implementation complexity. (This would require keeping site-specific state client-side, verifying & invalidating said state periodically, etc.)

### Why not serve a JSON resource with links to other account management functions?

Specification complexity. If we determine we need other account management well-known resources in the future, we can specify them then.

### What tools have implemented this feature?

* iCloud Keychain on iOS 12
* Safari 12
* 1Password (1Password 8 and 1Password for Chrome, Firefox, Edge and macOS Safari)
* Chrome 86
* [Backdrop CMS](https://backdropcms.org/), via the [Well-known module](https://backdropcms.org/project/well_known).

### What about servers whose HTTP response codes are unreliable?

Sometimes, HTTP servers are configured to respond `200 OK` for resources that really aren't there. The [Detecting the reliability of HTTP status codes](https://w3c.github.io/webappsec-change-password-url/response-code-reliability.html) draft attempts to address this problem.