OpenID Connect: Failed to get user avatar from URL

Simpel · September 17, 2023, 4:56pm

We are using OpenID Connect 1.31 combined with Azure AD and XWiki 13.10.6. Nearly all works fine but we get this error message in the log file:

WARN o.x.c.o.a.i.OIDCUserManager - Failed to get user avatar from URL https://graph.microsoft.com/v1.0/me/photo/$value: IOException: Server returned HTTP response code: 401 for URL: https://graph.microsoft.com/v1.0/me/photo/$value

This happens to users with and without a microsoft user avatar.

I created a jira ticket but maybe there is some swarm intelligence in this forum to guide to the right direction.

Regards, Simpel

Simpel · March 18, 2025, 3:00pm

Ticket is closed. Didn’t recognize it. Today I looked inside the log file for another reason and remembered that there was an issue. It changed a little bit. Instead of 401 it is now 403.

WARN o.x.c.o.a.i.OIDCUserManager - Failed to get user avatar from URL [https://graph.microsoft.com/v1.0/me/photo/$value]: IOException: Server returned HTTP response code: 403 for URL: https://graph.microsoft.com/v1.0/me/photo/$value

We are using XWiki 15.10.13 and OpenID Connect Authenticator 2.13.1.

Regards, Simpel

tmortagne · March 18, 2025, 4:58pm

So that would suggest that from this provider point of view, the access token is not enough to be allowed to access the file behind the provided URL.

That being said, when given how the URL looks, it feels like the problem is not so much that the way the OIDC picture is downloaded is wrong and more the fact that the provider just indicated a URL that does not make any sense. Problem is that I have no idea how to identify that this URL should not be followed (in theory if the user does not have a picture the provider should just not indicate one).