Closed karenetheridge closed 4 years ago
current state:
force_password_change=true
will return a Location: /user/me/password headerTherefore it is safe to create a user with force_password_change=true, so the password on user creation is now just a temporary password.
When creating a new user,
force_password_change
should be set to true on the user record.When a user with this flag logs in, we are presently returning HTTP 200 with a Location header pointing to
/user/me/password
. Clients are not currently handling this condition, therefore if a change is made now, new users will be unable to use clients at all, therefore defer this fix until after 3.0.0.