I was thinking to have first use passwords fall under the same category for this. So if a user authenticates and either:
1) Password is first used
2) Password is expired
then we can return the URL for them to change their password themselves. I currently have a config setting for toggling the expired password self-change, because I have seen it used both ways and then we aren't forcing one way over the other. But I would imagine that we would want a "first use" password to be changed immediately.
I was thinking to have first use passwords fall under the same category for this. So if a user authenticates and either:
1) Password is first used
2) Password is expired
then we can return the URL for them to change their password themselves. I currently have a config setting for toggling the expired password self-change, because I have seen it used both ways and then we aren't forcing one way over the other. But I would imagine that we would want a "first use" password to be changed immediately.