Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules to link accounts by email are case-sensitive #208

Open
alanc10n opened this issue Jul 18, 2019 · 7 comments
Open

Rules to link accounts by email are case-sensitive #208

alanc10n opened this issue Jul 18, 2019 · 7 comments

Comments

@alanc10n
Copy link

I've encountered an issue in which a user signs up with multiple connections associated with the same email address and the automatic account linking rule fails to link them. Eventually I tracked this down to the fact that the users-by-email endpoint performs a case-sensitive search, which is very surprising. The user signed up for an email/password account as [email protected], but their Google account has [email protected] as the associated email address.

In practice, email addresses are treated in a case-insensitive manner, and the Auth0 web console performs case-insensitive search for email addresses. It seems like anyone using these rules to link accounts with matching emails would want it handle differing case, since some providers will report differing case for a given email address (i.e. not everyone normalizes addresses to lower-case).
@rhiadj
Copy link

rhiadj commented Nov 14, 2019

I was caught out by this over the past week and even Auth0 support seemed flummoxed by this and unaware that the email address used to add admins to a tenant was case sensitive.

Some info:

http://www.faqs.org/rfcs/rfc821.html

For some hosts the user name is case sensitive, and SMTP implementations must take case to preserve the case of user names as they appear in mailbox arguments. Host names are not case sensitive.

However...
http://www.faqs.org/rfcs/rfc5321.html

However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged.

And as always Stack Overflow to the rescue:
https://stackoverflow.com/questions/9807909/are-email-addresses-case-sensitive

So it appears it depends on the RFC you are implementing.

RFC-5321 is the latest (RFC-7504 is only an ‘update’ to it) so I'd suggest this should be the one to follow - which suggests case insensitivity should be used.

Discussing this with other (seasoned) developers - 99% of devs I've spoken to were unaware that email addresses can be case sensitive. And in practice most systems implementing SMTP do so using case insensitive implementation.

Suggested/Possible Solutions:

Either change this to be case insensitive as suggested in the most recent RFC

... or...

At the very least the fields/processes/APIs used to register and to add admins to a tenant should state the email address is case sensitive. And error message(s) displayed should detail this fact also.

Thanks.

@rhiadj
Copy link

rhiadj commented Nov 14, 2019
edited
Loading

Just to add to this - the existing error message I was getting when attempting to accept an invitation states:
auth0_error_message

Please log in using the email address for which you received the invitation.

... which is exactly what I did!

In Auth0 the invite was created using:
[email protected]

I received the email invite in my inbox for:
[email protected]
... because the email server is set up to ignore case sensitivity.

So the error message above is in fact incorrect (or at the very least misleading) for around 90% of use cases where case sensitivity is to blame due to the fact that most email servers are set up to be case insensitive?

Thanks.

@rhiadj
Copy link

rhiadj commented Nov 20, 2019
edited
Loading

@alanc10n Thanks for raising this issue as I wondered if I was going mad but evidently wasn't the only one this was effecting - which was good to know! 👍

It might be worth checking this again just fyi.

I reported this issue to customer support who have since informed me that the dev team had pushed out a fix for this and that user registration is now case insensitive.

I've not had chance to check myself yet but thought I'd pass on the message in case it's blocking your work/endeavours!

Support also mentioned they'll pass on this issue for the dev team to respond to.

Thanks again.

@sebhs
Copy link

sebhs commented Feb 6, 2021
edited
Loading

Just spend hours trying to debug our merging process and realized that this was the issue. The user signed up via Google with the email [email protected] and then passwordless with [email protected], because of the case sensitivity of the users-by-email endpoint, the user accounts weren't linked.

Does anyone have a good solution how to resolve this? From the last comment it seems like this should have been fixed, but the we had this problem yesterday.

@Maxhodges
Copy link

Maxhodges commented May 12, 2023
edited
Loading

Auth0 knew about this issue since 2019 and hasn't been fixed yet? For Christ's sake!

We just lost a customer because of a nightmare scenario involving this bug. Please make it right! We just got the worst possible review from a customer who has a second account created because of a capitalization difference which too a week of back and forth for our customer support and engineers to figure out.

0 out of 10
the site has a glitch where if you change your email on your account, it force-makes accounts instead of logging in. I logged into my account several times and several times it just made a new account instead. This led to confusion from the staff as they thought I was hitting the 'getting started' instead of signing in, which I had to take several screenshots to prove I wasn't until I was finally taken seriously and the staff removed the other accounts and troubleshot the original. This took a week to fix with a bit of frustration from having the back and forth of 'stop making new accounts'/'I'm not making new accounts, the site is'.

@Maxhodges Maxhodges mentioned this issue May 12, 2023
Open
@MsMatias
Copy link

MsMatias commented Aug 2, 2023

Hi everyone. I had the same issue using /users-by-email endpoint because is case-sensitive (it doesn't make sense). I found the https://{domain}/api/v2/users endpoint allows you to search by different attributes such as email. So doing the following query I was able to find the users with case-insensitive string.

?q=email%3Auser_email which decoded is ?q=email:user_email

Please let me know if this works for you.

@alanc10n
Copy link
Author

Hi everyone. I had the same issue using /users-by-email endpoint because is case-sensitive (it doesn't make sense). I found the https://{domain}/api/v2/users endpoint allows you to search by different attributes such as email. So doing the following query I was able to find the users with case-insensitive string.

?q=email%3Auser_email which decoded is ?q=email:user_email

Please let me know if this works for you.

Yes, that search is case-insensitive, but it's also not immediately consistent. Auth0 explicitly recommends using users-by-email for searching during authentication and account-linking, which is why this is a mess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Maxhodges @rhiadj @alanc10n @sebhs @MsMatias