Description
I have been implementing this specification for Backdrop CMS via the Well-known module. After reading the specification I was unsure of how I should be handling an anonymous user arriving at http://example.org/.well-known/change-password. Indeed, initially I mistakenly implemented this by redirecting them to the reset password page. This mistake has been corrected, but I think it would be would be nice if the specification was more explicit on this point.
I think it would add clarity if the specification distinguished between changing a password verses resetting a password; and that the expected behaviour for anonymous users is that a website should invite a user to login before redirecting them to the change password page.
There is a reference to this subject in issue #4 by @craigfrancis, so this issue could be considered a duplicate of that one. However, I think it would be helpful to be explicit about the change vs reset terms in the specification.