Refine how email address is stored in session (case sensitivity) about persona-yahoo-bridge HOT 6 OPEN

We need to see how this works w.r.t. the current core model. I'll investigate to find out if this is a blocker or not.

from persona-yahoo-bridge.

List of Things to Determine

1. Is Yahoo mail case-sensitive?

   No. Yahoo will deliver to [email protected] the same as [email protected].

2. Is Yahoo account creation case preserving?

   No. Yahoo forcibly down-cases new user registrations.

3. Is Yahoo OpenID case preserving?

   N/A. Yahoo will always return down-cased addresses in its OpenID responses.

4. Is BigTent case sensitive?

   Yes. Trying to log in as [email protected] fails and sends me into an infinite loop similar to #51.

5. Is BigTent case preserving?

   Unknown. Since I can't auth with a capitalized Yahoo address, I can't verify this at a high level.

6. Is Persona itself case preserving when creating an account on login.persona.org?

   Yes. Persona preserves and remembers case for accounts backed by login.persona.org.

7. Is Persona itself case sensitive when signing into login.persona.org?

   Sort of. I think this is a production bug, but signing up for Persona as [email protected] in the popup and then trying to sign in to Persona as [email protected] in the popup locks up but silently provisions you as [email protected]. If you do everything on login.persona.org itself, you end up logged in as [email protected].

8. Is Persona case preserving when using a native IdP?

   No. Attempting to use [email protected] will lock up at "Address Verified" as above, and provision you as [email protected].

9. Is Persona case sensitive when using a native IdP?

   Sort of. Fails as per No. 7 above.

10. Is Persona case preserving when signing into an RP?

    Yes. Though only for addresses backed by the fallback. All native IdP-based addresses are forcibly downcased.

Once We Know That

1. Are there any interactions where moving to BigTent could result in differently-cased assertions compared to pre-BigTent?

   Yes. Accounts at login.persona.org are currently case-preserved and case-enforced. Native Yahoo accounts are forcibly down-cased. Thus, I could currently be using [email protected] with Persona, but as soon as BigTent goes live, I'll be forced to begin using [email protected].

from persona-yahoo-bridge.

Based on the above, BigTent going live in its current state will lock user out of RP accounts, similarly to the AddressGuard issues discovered in #12.

Independently, I believe the above inquiry reveals several bugs in core with regard to handling of capitalization in email addresses.

from persona-yahoo-bridge.

To make things easy for folks on the team, I've created a dummy Yahoo account. The authentication credentials are in a private etherpad: https://id.etherpad.mozilla.org/capitalized-email-accounts

from persona-yahoo-bridge.

If we presume the core bugs are resolved (allowing you to type "[email protected]" but end up logged in as "[email protected]"), then BigTent could fully support people by doing case-insensitive comparison to the OpenID response to verify ownership, but then provisioning based on the casing of the address known to login.persona.org.

New users would always have an all-lowercase address.

Existing users with capitalized addresses could get stuck if they deleted their account and tried to re-create it (or if that happened automatically as part of an account reset?)

from persona-yahoo-bridge.

Bumping stars down to 3 as impact is minimal.

from persona-yahoo-bridge.