🚀 Feature: Ability for users to set a profile picture #58
Comments
|
I'm working on this feature at the moment but I'm unsure how I should handle the authorization for the profile picture URL. Should the URL be accessible publicly or only with an access token? Do you have a few examples of client applications that support importing the profile picture from an OIDC Provider? This would help me to decide how I should handle the authorization. |
|
As far as I know homarr uses this profile picture import function. |
|
@simono41 Thanks, I've checked it out but it seems Homarr doesn't use the profile pictures of the OIDC provider. |
Try version 1.0 of Homarr. I had seen that there. |
|
@simono41 I've tried Homarr 1.0 and also looked into the code but I don't think they support it. Are you sure that the profile image was taken from the OIDC provider. Which OIDC provider do you use? |
I'm sorry I thought they would support this because I can't upload a profile picture there. I looked again on the internet and with Gitlab it should be possible by having the profile picture as a URL (i.e. publicly available without authentication) in the user info, but it can also be included in the ID token (don't know exactly what that is). https://docs.gitlab.com/ee/integration/openid_connect_provider.html |
|
@simono41 Thanks. Yeah the profile picture URL is accessible without authentication. In GitLab this makes sense as the profile picture can be viewed without an account. However, since Pocket ID is not a public service, it probably makes more sense to protect the profile picture endpoint. The challenge I’m facing is figuring out the best way to secure it, especially since I’m not entirely sure how clients will be accessing the profile pictures. |
|
Personally, I'm not too concerned about the profile pictures being publicly available; but all my services have access to the same private network and reverse proxy. Sorry this took so long to respond to though; I can track down a few more but here is how KitchenOwl does the import: https://github.com/TomBursch/kitchenowl/blob/8da1fb8aa33ef09d4b2ab56d05a9464c1fe49e2f/backend/app/controller/auth/auth_controller.py#L386 Let me know if you need more / different examples. |
|
@acidRain-burns Thanks for the example. The application downloads the image on sign in. If you have other examples it would be great if you can share them. If every client application downloads the profile image on sign in, I could just create a link that's only valid for a short time period. But I suspect that there are client applications that directly use the profile picture URL without downloading the image. |
Feature description
Allow users to set and change their profile picture, and allow this to be provided to client applications when requested. A simple input like what is already offered for OIDC Client settings should suffice. If it makes more sense or is too much overhead, allowing users to set their own URL or letting server owners set their own avatar service might be a better option.
Pitch
There are many client applications Pocket ID is working really well for, and many of them have profile picture imports. It would be nice for people to be able to set their picture once, and have it show up everywhere without them or I needing to mess with Gravatar (though the inclusion of Gravatar is a great feature!).
The text was updated successfully, but these errors were encountered: