Persona is no longer actively developed by Mozilla. Mozilla has committed to operational and security support of the persona.org services until November 30th, 2016.
On November 30th, 2016, Mozilla will shut down the persona.org services. Persona.org and related domains will be taken offline.
If you run a website that relies on Persona, you need to implement an alternative login solution for your users before this date.
For more information, see this guide to migrating your site away from Persona:
It's a good idea to allow your users to add extra email addresses to their account. This enables users to change their email addresses, and to access their account with you even if they are unable to access their primary email account.
You'll need to verify the extra address. You can do this manually, by sending an email to the new address containing a verification link, or by using Persona itself.
If you use Persona to add email addresses, then you need to be aware of a couple of things: make the context of the request clear, and update the value you pass into
loggedInUser to ensure that the transaction isn't broken by Persona's session management.
Clarify the context of the request
When you request a new assertion using with either the old
navigator.id.get() API or the
navigator.id.request() API, Persona expects that the user is trying to sign into a website, and the user interface it displays reflects that. If you are using Persona just to get a new verified email address, your site needs to make this clear to users, so they are not confused by the Persona dialog.
But if you use
navigator.id.request(), then you must also use
navigator.id.request() to get the extra email address. In this case, when you have verified the assertion inside your
onlogin handler, you must update the
loggedInUser argument to
navigator.id.watch() with the new email address.
If you don't do this, then there will be a mismatch: Persona will think the logged in user is
email@example.com, but your website will be telling it that the logged in user is
firstname.lastname@example.org. In response, Persona will fire
onlogin with an assertion for
email@example.com, which your website will probably interpret as a new user signing up.