handle email address like myname+tag@gmail.com (either full support, or better error handling)

[jrgm]

For consideration, when you the user enters the email as myname+tag@gmail.com, we could strip out the +tag, auth as myname@gmail.com, but use the myname+tag address as the name in browserid.

This would mostly be something to ease testing of multiple accounts, and it may complicate things too much for this release; I can easily go create some gmail/yahoo/hotmail accounts for this testing round.

However, at minimum, we do need a bit better handling of such an email address, since right now, I get an error when using an address like that.

[ozten]

The first place this falls down is at
https://github.com/mozilla/browserid-bigtent/blob/master/server/lib/passport_google.js#L89

We could special case ignoring (\+[^@]*)@, but this makes me nervous from a quality and security perspective.

[jrgm]

Yeah, let's punt on doing anything special with the email address in the near term timeframe. Real users are just user@example.com, and funky input can just error out.

[ozten]

jrgm thought about this more ... and bigtent with gmail will break many bugzilla users. Doh!

Possible fixes:

1. Get google to fix their auth to accept these email addresses during login screen as well as in a hinted OpenID flow
2. Do a "plus address" fixup step and vouch for myname+tag@gmail.com when Google says the user is myname@gmail.com

To help establish priority - Measure % of users in Mozilla databases using "plus addresses"

[callahad]

Raising to 5 stars -- real users are using this in Bugzilla. We can't lock them out. Let's do a local fixup for gmail. @jrgm to investigate how Yahoo and Hotmail work with this stuff.

For Yahoo, this looks like the most relevant thing: http://help.yahoo.com/tutorials/mail/mail_addressguard1.html

[jrgm]

About Yahoo!. I have an email address that we'll call someuser@yahoo.com.

I sent and email from an @gmail.com address to that address ok, but sending to someuser+s1@yahoo.com results in an email bounce: "The error that the other server returned was: 554 554 delivery error: dd This user doesn't have a yahoo.com account (someuser+s1@yahoo.com) [0] - mta1318.mail.mud.yahoo.com (state 17)."

I then tried to sign up as someuser+s1@yahoo.com and the yahoo.com web UI told me "Only letters, numbers, underscores, and one dot (.) are allowed".

An attempt to use 'someuser-s1@yahoo.com' with a free account is bounced with a message similar to the bounce on '+' above. I bought Mail Plus, and created a basename (which cannot by 'someuser') and email to 'otheruser-s1@yahoo.com' is delivered ok. Note: these disposable addresses must be pre-configured, e.g., mail to otheruser-s2@yahoo.com will bounce.

[jrgm]

About Hotmail. Again, I have a free hotmail account, call it someuser@hotmail.com.

Sending to someuser+s1@hotmail.com is delivered to someuser@hotmail.com inbox without any other configuration needed. So '+' is handled just like @gmail.com. I also tried sending to someuser-s1@hotmail.com, but that is bounced.

When I tried to sign up with hotmail as someuser+s1@hotmail.com, it said "Your email address can contain only letters, numbers, periods (.), hyphens (-), and underscores (_). It can't contain special characters, accented letters, or letters outside the Latin alphabet."

[callahad]

@jrgm: Can you sign into Yahoo using your otheruser-s1 address? Trying to figure out how that would interact with their OpenID auth.

It sounds like we need to treat Gmail and Hotmail identically in this regard.

It sounds like BigTent may break Persona for Yahoo users that use the Mail Plus disposable address feature. I don't know what we should do there. Any ideas? @ozten / @skinny97214 / @jrgm ?

Using the current fallback flow for Yahoo addresses with a hyphen in them would probably be the most graceful thing we can do. Maybe change the Proxy IdP logic to dispatch based on regexes? :(

[jrgm]

@callahad No, I can't use otheruser-s1 to auth with yahoo (if says "hmm, unknown, are you trying to signup?). And if I start with otheruser-s1 but auth to yahoo with someuser@yahoo.com, I wind up with the dialog saying "Authentication Error: Sorry, it looks like you were trying to log in as otheruser-s1@yahoo.com, but were logged in to Yahoo as a different address.").

So, the handling seems consistent (with s/+/-/ for the yahoo case). You can't use the "aliased" username to auth with {google,yahoo,hotmail}, and if you try to use the "alias" with persona and then auth with the real username, you fail on the mismatch. Maybe the right flow is to assume it's not an alias and then on a mismatch (that matches a possible alias), deal with it (user confirms again and some way to record the mapping). /me just making shit up as I go along again.

[callahad]

Gah. Okay. If we roll out BigTent as is, then we lock Yahoo users out of sites that they're currently using Persona at. Even if this is a niche feature, I'm not comfortable doing that. Nice find, @jrgm.

I don't know how to solve this. Since BigTent can't support all @yahoo.com addresses, we have to partition based on the local part of the address. How do we do that in a way that works for both users entering the system and for local verifiers? I don't think dynamic well-known files actually solve this.

[callahad]

There are > 50 users with Yahoo addresses like this in our production database. :(

[ozten]

Raising to 5 stars -- real users are using this in Bugzilla

What is the absolute % of bugzilla users affected?
What is the absolute % of production browserid users affected?

I don't know about 5 stars, I think this may be an acceptable known issue.

[ozten]

I don't know if it would really happen... but technically this issue can be fixed in the RP as follows:

1. User uses the bare email address (alice@gmail.com instead of alice+bugzilla@gmail.com)
2. Bugzilla changes account lookup logic to something like this psuedo SQL:

SELECT id from accounts where email = 'alice@gmail.com' OR email LIKE 'alice+%@gmail.com';

I strongly doubt bugzilla would take on this burden, but just wanted to document this additional solution space.

[ozten]

Requesting absolute % from BMO team https://bugzilla.mozilla.org/show_bug.cgi?id=803243

[ozten]

Requesting absolute % from Service Ops team https://bugzilla.mozilla.org/show_bug.cgi?id=803246

[ozten]

Bugzilla:

+------------+-----------+------------+-----------+------------------+----------+
| plus_gmail | all_gmail | plus_yahoo | all_yahoo | gmail_yahoo_plus | all_plus |
+------------+-----------+------------+-----------+------------------+----------+
|     1.1130 |   19.7873 |     0.0025 |    8.9597 |           0.2205 |   0.4043 |
+------------+-----------+------------+-----------+------------------+----------+

[callahad]

Per discussion with Ben and Ozten, this is not a blocker for Yahoo's launch. Reassigning to M1: Google launch.

The plan is to notify Yahoo! AddressGuard users in advance of BigTent hitting production so that they have time to make alternative arrangements for the RPs that they access and monitor that feedback.

We'll also add an AddressGuard-specific error page to BigTent so that those users are informed of the issue.

In parallel, we'll reach out to Yahoo and see if there's any (undocumented?) way to support AddressGuard users via OpenID.

The above will be tracked in new GitHub issues.

[jrgm]

This also needs to be addressed for hotmail (but I don't see a way to put the same issues on two milestones). So just saying...