Email Aliases Cannot Accept Invitations

Issue #14335 wontfix
Cassiano Alves
staff created an issue

In case someone send an invite to a alias email, could that notification also to be sent to the primary email? If not, can we block users to invite others using their alias email?

Official response

  • Alastair Wilkes staff

    Hi y'all,

    I should clarify - email aliases did previously support this behavior (multiple emails on one account). However, when Bitbucket started using Atlassian account for authentication, this changed such that only one email address (Atlassian account) can be used to authenticate a particular Bitbucket account. This change was made in order to more easily support future cross-product user management capabilities and security features (e.g. SAML, managed/organization-owned accounts, password policies) implemented at the Atlassian account level and then delegated to all products used by an organization.

    Unfortunately this has created frustration for users either previously familiar with Bitbucket or with other offerings that work differently, and for that I apologize. We need to make this clearer in our documentation and on the email aliases page.

    To be clear, you still can use a single account to collaborate across multiple orgs - but only one email can be used for authentication. If you need to use different emails for authentication, or you need to keep your personal account private, we recommend creating one or more secondary accounts (perhaps a 'work' account, or one account for each organization you work with). We could make this easier by adding an account switcher to Atlassian account - there is a lot of interest in that.

    @Henk Roux -

    The email address was removed from your account because you can't have a confirmed email on more than one account. We're working on making this more obvious in the sign-up flow. That said, the second account you created should have been granted access to the repo - we'll take a look at why that didn't work. Re-accepting the invite should fix that in the meantime.

    Thanks,
    Alastair
    Bitbucket PM

Comments (18)

  1. Alastair Wilkes staff

    This is actually intentional. Email aliases are for Git aliasing only. For the purposes of authentication and authorization, a given user account must be identified by a single email address.

    We won't block the invite being sent because the user might want to create a second account with that email address.

  2. Mario Rosa

    @Alastair Wilkes so are you saying that the only way to accept an invitation at an email alias would be to do the following:

    1. Receive invite at an email alias for current account.
    2. Remove the email alias from current account.
    3. Logout of the current account.
    4. Make new account with the email.
    5. Accept the invitation.
  3. puzzlegeek

    This is very poor. Claiming an email (whether as a primary address or alias) and proving you own it should allow it to be used in any way. I certainly don't want to set up another account to accept a single invitation nor have to pre-warn any potential collaborators to use a specific email address (which I may intentionally be keeping from them; e.g. a personal email address).

    Once again, I see odd issues like this using bitbucket confirming my decision to host elsewhere

  4. Scott Riggins

    I have the same issue as puzzlegeek, and in response to @Alastair Wilkes "Does that work for you?" I would say no. Members of bitbucket are sometimes (likely often) participating in different projects with different email addresses for a reason, such as subcontracting affiliations, and if those email addresses that we might receive invites under are confirmed aliases then they should be treated by bitbucket as equivalent. It is natural for someone (e.g., at a client) to invite via the email address they are aware of, and it should not be required to then go back to them and ask them to re-send the invite via some other moniker, even the username. In some cases the account username is rather obviously related to the primary email address identity which should not be disclosed; disclosure of underlying subcontract affiliations can even be a damaging contract violation. Bitbucket should support accepting an invite from a login which is confirmed as aliased by the invited email address.

  5. Piotr Zielinski

    Wow, just found this thread because I couldn't figure out why it wasn't working for me as expected.

    I would think that aliases are there so that people can find me by whichever email address they happen to have. If they cannot add me based on that email address that is going to be an issue. Please fix this!

  6. John Kurkowski

    +1

    Receiving an invitation at an alternate email prompts me to create a new account on https://id.atlassian.com. Yet there is also a link at the bottom, "Already have an Atlassian account? Log in." This makes me think I can accept the invitation at my existing account. Alas, any attempt to use that "Log in" link results in

    "Oops, you've made a malformed request. If you came here from a link we sent you, please contact support."

  7. John Kurkowski

    In fact, the comment directly above this one is from a 2nd account, which I didn't want to create. It's a temporary email address I won't always have access to. Now I'm commenting again to be sure I get notifications at my desired email address.

  8. Henk Roux

    @Alastair Wilkes what you said

    This is actually intentional. Email aliases are for Git aliasing only. For the purposes of authentication and authorization, a given user account must be identified by a single email address. We won't block the invite being sent because the user might want to create a second account with that email address.

    is false, because I did create a second account using my alias address, and it removed the alias from my primary account. So the 'for git aliasing only' claim is actually untrue, and there is no technical or intentional reason why our alias addresses cannot be used all on one account.

  9. Henk Roux

    To elaborate - the alias in question was used as an actual alias to a repo of a client. Now that I had to create a second account for invite from another client, the alias is gone from the primary account, and any commit I now make there I make as 'someone else'. And the second account does not have access to that repo. What do I do now?

  10. Alastair Wilkes staff

    Hi y'all,

    I should clarify - email aliases did previously support this behavior (multiple emails on one account). However, when Bitbucket started using Atlassian account for authentication, this changed such that only one email address (Atlassian account) can be used to authenticate a particular Bitbucket account. This change was made in order to more easily support future cross-product user management capabilities and security features (e.g. SAML, managed/organization-owned accounts, password policies) implemented at the Atlassian account level and then delegated to all products used by an organization.

    Unfortunately this has created frustration for users either previously familiar with Bitbucket or with other offerings that work differently, and for that I apologize. We need to make this clearer in our documentation and on the email aliases page.

    To be clear, you still can use a single account to collaborate across multiple orgs - but only one email can be used for authentication. If you need to use different emails for authentication, or you need to keep your personal account private, we recommend creating one or more secondary accounts (perhaps a 'work' account, or one account for each organization you work with). We could make this easier by adding an account switcher to Atlassian account - there is a lot of interest in that.

    @Henk Roux -

    The email address was removed from your account because you can't have a confirmed email on more than one account. We're working on making this more obvious in the sign-up flow. That said, the second account you created should have been granted access to the repo - we'll take a look at why that didn't work. Re-accepting the invite should fix that in the meantime.

    Thanks,
    Alastair
    Bitbucket PM

  11. Enrico Stevenson-Mills

    To be clear, you still can use a single account to collaborate across multiple orgs - but only one email can be used for authentication.

    This is not an authentication issue, it's an authorization issue. You have locked invites to the email address that received the invite. While I understand this prevents stolen invitations, there is no reason you couldn't safely allow accounts to accept invitations to their primary email address or any of their verified aliases.

    This isn't about being able to make one bitbucket account appear to as multiple identities, but rather being able to merge all your identities into a single account. By accepting an invite sent to one of your verified aliases, you would appear in the repo/organization as if the invite had been sent to your primary email address. And if that means the organization sees your primary email address instead of your alias, so be it.

    It is completely orthogonal to the organization based feature management you mentioned.

  12. Log in to comment