Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if URLs like /.well-known/login and /.well-known/logout would be a good idea, and should belong to a similar spec. Maybe even /.well-known/register, too.

Once the Web Authentication API becomes reliable usable this would make quite a lot of sense.

At last wrt. login and register for doing the "first" auth which is then stored in the authenticator, e.g. a username/password login).

Why not use simple HTTP authentication?

A lot of site design requirements won't fit well with simple HTTP auth. If the company wants to display a password recovery link or display pricing information to potential customers it's incompatible with using HTTP auth without a lot of extra bells and whistles.

These are all relatively common business requirements.

It doesn't support things like SSO / federated authentication, multiple password fields for 2FA, multiple username fields for realm/domain and individual account, etc.

The web already has a perfectly good solution for arbitrary forms, and has had it for decades. Just use that.

Also .well-known/change-profile and .well-known/post-comment and .well-known/add-to-cart.

change-profile is usually a single URL that operates on the current user. Which resource would post-comment and add-to-cart act on?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact