Adds the missing field on the query_user calls, updates the external auth tests to ensure it is returned properly, and adds new end-to-end tests which call the external auth engines via the *API*, to ensure this doesn't break again
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
