Clarify that redirects should be followed to resolve the Change Password URL

[rmondello]

Today, we have this:

Clients must handle such redirects when requesting a change password url.

We should better clarify that resolving the Change Password URL may require following more than one redirect. For instance:

https://example.com/.well-known/change-password may redirect to https://www.example.com/.well-known/change-password which may redirect to https://www.example.com/actual-change-password-page

If a client only followed a single redirect, they’d be misled. This came up in issue #14.

[dougwaldron]

Should redirects from "http" to "https" be followed? I assume any client implementation would only use "https", but if my server is set up to redirect all "http" requests to "https" (before any other redirects), would that ever be a problem?