search

opws / opws-dataset

Profiles for the user account systems of various sites.
Open Data Commons Open Database License v1.0
14 stars 2 forks source link

Moving password.reset.url to password.reset.flow.request.url #220

Closed stuartpb closed 7 years ago

stuartpb commented 7 years ago

Per https://github.com/opws/domainprofiles/issues/127#issuecomment-278180032 and https://github.com/opws/domainprofiles/issues/137#issuecomment-280197246 - password.reset.url meaning what it does is going to get more and more awkward due to its non-specificity, as more siblings (heck, password.reset.flow.request.form) get attached to reset request. url should live alongside these descriptions.

As for defining a general password.reset.url alongside the one under flow.request... I'm against it, actually. The comment in #127 noted that eliminating url at that higher level would make it so general, non-flow-request password reset URLs would get shaken out, but my thinking now is that if there's some kind of password reset that isn't flow or one of the specced alternatives, it needs to be handled in a way that will adequately convey what this specified URL is for - just saying "if you want password reset, here's your guy" catching all, for some reset mechanism so alien that it doesn't fit into the existing generalizations defined in the schema, is a bad idea. (Even if something like that eventually becomes a thing, it'd have to be specified und some other flow-alternative clarifying that it is definitely not flow-like, like password.reset.esoteric.url or password.reset.special.begin.url).

stuartpb commented 7 years ago

Like, Wells Fargo has a password reset design that isn't flow-like, and putting that info in a flow-like structure will cause real problems for use cases like Nilpass (it should really be documented in a PR comment until a real general-schema-branch can be specified to handle it, or kicked into a notes-like description). So, yeah, I'm down with this issue's logic.

Putting this on v0.1.0.

stuartpb commented 7 years ago

The thing is, Wells Fargo needs an alternative, because I've already documented it.

I'm going to call it replacement, because it involves a lot of secrets to be provided as a replacement for the password (though, of course, this "replacement" isn't strictly adequate, as it's still "something you know" and not "something you have" or "something you are").

It also reminds me of filing for a replacement debit card.

stuartpb commented 7 years ago

Note that this wasn't really finished off until #246.