From 45e271c0f7d1a79b37dce2fe9c73d0b8bb742874 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Fri, 7 Jun 2019 13:29:22 +0100 Subject: [PATCH] be super explicit --- proposals/2078-homeserver-password-resets.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/proposals/2078-homeserver-password-resets.md b/proposals/2078-homeserver-password-resets.md index 5064be20..8dd7d9c9 100644 --- a/proposals/2078-homeserver-password-resets.md +++ b/proposals/2078-homeserver-password-resets.md @@ -75,7 +75,9 @@ If the client receives a response to `/requestToken` with `submit_url`, it MUST accept a token from user input, then make a POST request to the content of `submit_url` with the `sid`, `client_secret` and user-entered token. `submit_url` can lead to anywhere the homeserver deems necessary for -verification. This data MUST be submitted as a JSON body. +verification. To be clear the content of `id_server` does not matter here, the +client should just submit a POST request to the value of `submit_url`. Additionally +data MUST be submitted as a JSON body. An example exchange from the client's perspective is shown below: