From b95d5724a4e0793c7cead596c602ca868e8bf5bc Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 14 Dec 2018 12:03:19 +0000 Subject: [PATCH] Add suggestion of returning a 401 for non-/login requests --- proposals/1730-cs-api-in-login-response.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/proposals/1730-cs-api-in-login-response.md b/proposals/1730-cs-api-in-login-response.md index 088df257..f3a498ca 100644 --- a/proposals/1730-cs-api-in-login-response.md +++ b/proposals/1730-cs-api-in-login-response.md @@ -26,6 +26,12 @@ clients to an alternative homeserver after login. Clients SHOULD use the provided `well_known` object to reconfigure themselves, optionally validating the URLs within. +Note: a server that redirects all clients to different servers must nonetheless +consider clients making requests other than `/login`: for example, some clients +may fail to support redirection. It is acceptable in such a case to return a +401 response to all non-`/login` requests if the service does not wish to +support such clients. + ## Application Let's imagine for this description that our organisation is the University of