OpenID Connect MalformedURLException upon user avatar

Hi,

I’ve setup OpenID-Connect from XWiki to an external provider (Jetbrains Hub) and get a timeout upon trying to login. The user is created properly but in the logs I can see the following error message:

[http-nio-8080-exec-1 - https://XXX/xwiki/oidc/authenticator/callback?code=XXX&state=XXX] WARN o.x.c.o.a.i.OIDCUserManager - Failed to get user avatar from URL [data:image/png;base64,XXX]: MalformedURLException: unknown protocol: data

Directly before that in the log I get several messages from the security manager but they don’t seem to be related:

[http-nio-8080-exec-10 - https://XXX/xwiki/bin/view/Main/] INFO .u.i.DefaultURLSecurityManager - Domain of URL [https://XXX/hub/api/rest/oauth2/auth?scope=openid+profile+email+address&claims={}&response_type=code&redirect_uri=https%3A%2F%2FXXX%2Fxwiki%2Foidc%2Fauthenticator%2Fcallback&state=XXX&client_id=XXX] does not belong to the list of trusted domains but it’s considered as trusted since the check has been bypassed.

XWiki-Version: 12.10.10 LTS (XWiki Standard Flavor)
OpenID-Connect-Authenticator: 1.28

Any ideas how to solve this or should I open a bug report?

Kind regards,

According to the error, the provider send back “data:image/png;base64,XXX” for what is defined in the OIDC protocol as supposed to be a URL.

They stretched quite a bit the definition of “URL” but I guess it could make sense to support inline images URIs. Would be great if you could create an issue for it on https://jira.xwiki.org/browse/OIDC. If you feel like working on this you can find the code which deal with the user picture on https://github.com/xwiki-contrib/oidc/blob/master/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java#L401.

In the meantime, the only consequence for you is that you get a warning, and you are missing the user profile pictures.

Thank you for your help. I’ve created a ticket.