feat: map OIDC/OAuth2 avatar claims to user pictureUrl (#7908)

mod242 · web-flow · commit 6ae53bf1bd91 · 2026-01-23T18:36:52.000-05:00
diff --git a/server/modules/authentication/oauth2/authentication.js b/server/modules/authentication/oauth2/authentication.js
@@ -22,13 +22,15 @@ module.exports = {
       state: conf.enableCSRFProtection
     }, async (req, accessToken, refreshToken, profile, cb) => {
       try {
+        const picture = _.get(profile, conf.pictureClaim, '')
         const user = await WIKI.models.users.processProfile({
           providerKey: req.params.strategy,
           profile: {
             ...profile,
             id: _.get(profile, conf.userIdClaim),
             displayName: _.get(profile, conf.displayNameClaim, '???'),
-            email: _.get(profile, conf.emailClaim)
+            email: _.get(profile, conf.emailClaim),
+            picture: picture
           }
         })
         if (conf.mapGroups) {
diff --git a/server/modules/authentication/oauth2/definition.yml b/server/modules/authentication/oauth2/definition.yml
@@ -54,38 +54,45 @@ props:
     default: email
     maxWidth: 500
     order: 8
+  pictureClaim:
+    type: String
+    title: Picture Claim
+    hint: Field containing the user avatar URL
+    default: picture
+    maxWidth: 500
+    order: 9
   mapGroups:
     type: Boolean
     title: Map Groups
     hint: Map groups matching names from the groups claim value
     default: false
-    order: 9
+    order: 10
   groupsClaim:
     type: String
     title: Groups Claim
     hint: Field containing the group names
     default: groups
     maxWidth: 500
-    order: 10
+    order: 11
   logoutURL:
     type: String
     title: Logout URL
     hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 11
+    order: 12
   scope:
     type: String
     title: Scope
     hint: (optional) Application Client permission scopes.
-    order: 12
+    order: 13
   useQueryStringForAccessToken:
     type: Boolean
     default: false
     title: Pass access token via GET query string to User Info Endpoint
     hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
-    order: 13
+    order: 14
   enableCSRFProtection:
     type: Boolean
     default: true
     title: Enable CSRF protection
     hint: Pass a nonce state parameter during authentication to protect against CSRF attacks.
-    order: 14
+    order: 15
diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js
@@ -24,14 +24,16 @@ module.exports = {
         acrValues: conf.acrValues
       }, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
         const profile = Object.assign({}, idProfile, uiProfile)
+        const picture = _.get(profile, '_json.' + conf.pictureClaim, '')
 
         try {
           const user = await WIKI.models.users.processProfile({
             providerKey: req.params.strategy,
             profile: {
               ...profile,
               email: _.get(profile, '_json.' + conf.emailClaim),
-              displayName: _.get(profile, '_json.' + conf.displayNameClaim, '')
+              displayName: _.get(profile, '_json.' + conf.displayNameClaim, ''),
+              picture: picture
             }
           })
           if (conf.mapGroups) {
diff --git a/server/modules/authentication/oidc/definition.yml b/server/modules/authentication/oidc/definition.yml
@@ -62,26 +62,33 @@ props:
     default: displayName
     maxWidth: 500
     order: 9
+  pictureClaim:
+    type: String
+    title: Picture Claim
+    hint: Field containing the user avatar URL
+    default: picture
+    maxWidth: 500
+    order: 10
   mapGroups:
     type: Boolean
     title: Map Groups
     hint: Map groups matching names from the groups claim value
     default: false
-    order: 10
+    order: 11
   groupsClaim:
     type: String
     title: Groups Claim
     hint: Field containing the group names
     default: groups
     maxWidth: 500
-    order: 11
+    order: 12
   logoutURL:
     type: String
     title: Logout URL
     hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 12
+    order: 13
   acrValues:
     type: String
     title: ACR Values
     hint: (optional) Authentication Context Class Reference
-    order: 13
+    order: 14
