On November 30th, 2016, Mozilla shut down the persona.org services. Persona.org and related domains will soon be taken offline.
For more information, see this guide to migrating your site away from Persona:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
It's a good idea to allow your users to add extra email addresses to their account. This enables users to change their email addresses, and to access their account with you even if they are unable to access their primary email account.
You'll need to verify the extra address. You can do this manually, by sending an email to the new address containing a verification link, or by using Persona itself.
If you use Persona to add email addresses, then you need to be aware of a couple of things: make the context of the request clear, and update the value you pass into loggedInUser
to ensure that the transaction isn't broken by Persona's session management.
When you request a new assertion using with either the old navigator.id.get()
API or the navigator.id.request()
API, Persona expects that the user is trying to sign into a website, and the user interface it displays reflects that. If you are using Persona just to get a new verified email address, your site needs to make this clear to users, so they are not confused by the Persona dialog.
If you're using the navigator.id.get()
API in the rest of your site, then you can just make a new navigator.id.get()
call to get the extra email address.
But if you use navigator.id.request()
, then you must also use navigator.id.request()
to get the extra email address. In this case, when you have verified the assertion inside your onlogin
handler, you must update the loggedInUser
argument to navigator.id.watch()
with the new email address.
If you don't do this, then there will be a mismatch: Persona will think the logged in user is new_emailaddress@example.org
, but your website will be telling it that the logged in user is old_emailaddress@example.org
. In response, Persona will fire onlogin
with an assertion for new_emailaddress@example.org
, which your website will probably interpret as a new user signing up.