starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-10 01:10:42 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: Ability for users to set a profile picture #452

New Issue
Closed
opened 2025-10-07 00:15:24 +03:00 by OVERLORD · 16 comments
OVERLORD commented 2025-10-07 00:15:24 +03:00
Owner
Copy Link

Originally created by @acidRain-burns on GitHub.

Feature description

Allow users to set and change their profile picture, and allow this to be provided to client applications when requested. A simple input like what is already offered for OIDC Client settings should suffice. If it makes more sense or is too much overhead, allowing users to set their own URL or letting server owners set their own avatar service might be a better option.

Pitch

There are many client applications Pocket ID is working really well for, and many of them have profile picture imports. It would be nice for people to be able to set their picture once, and have it show up everywhere without them or I needing to mess with Gravatar (though the inclusion of Gravatar is a great feature!).

Originally created by @acidRain-burns on GitHub. ### Feature description Allow users to set and change their profile picture, and allow this to be provided to client applications when requested. A simple input like what is already offered for OIDC Client settings should suffice. If it makes more sense or is too much overhead, allowing users to set their own URL or letting server owners set their own avatar service might be a better option. ### Pitch There are many client applications Pocket ID is working really well for, and many of them have profile picture imports. It would be nice for people to be able to set their picture once, and have it show up everywhere without them or I needing to mess with Gravatar (though the inclusion of Gravatar is a great feature!).
OVERLORD added the feature label 2025-10-07 00:15:24 +03:00
OVERLORD commented 2025-10-07 00:15:27 +03:00
Author
Owner
Copy Link

@simono41 commented on GitHub:

@simono41 Thanks, I've checked it out but it seems Homarr doesn't use the profile pictures of the OIDC provider.

Try version 1.0 of Homarr. I had seen that there.

https://github.com/homarr-labs/homarr

@simono41 commented on GitHub: > @simono41 Thanks, I've checked it out but it seems Homarr doesn't use the profile pictures of the OIDC provider. Try version 1.0 of Homarr. I had seen that there. https://github.com/homarr-labs/homarr
OVERLORD commented 2025-10-07 00:15:28 +03:00
Author
Owner
Copy Link

@simono41 commented on GitHub:

As far as I know homarr uses this profile picture import function.

@simono41 commented on GitHub: As far as I know homarr uses this profile picture import function.
OVERLORD commented 2025-10-07 00:15:28 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I'm working on this feature at the moment but I'm unsure how I should handle the authorization for the profile picture URL. Should the URL be accessible publicly or only with an access token?

Do you have a few examples of client applications that support importing the profile picture from an OIDC Provider? This would help me to decide how I should handle the authorization.

@stonith404 commented on GitHub: I'm working on this feature at the moment but I'm unsure how I should handle the authorization for the profile picture URL. Should the URL be accessible publicly or only with an access token? Do you have a few examples of client applications that support importing the profile picture from an OIDC Provider? This would help me to decide how I should handle the authorization.
OVERLORD commented 2025-10-07 00:15:28 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@simono41 I've tried Homarr 1.0 and also looked into the code but I don't think they support it. Are you sure that the profile image was taken from the OIDC provider. Which OIDC provider do you use?

@stonith404 commented on GitHub: @simono41 I've tried Homarr 1.0 and also looked into the code but I don't think they support it. Are you sure that the profile image was taken from the OIDC provider. Which OIDC provider do you use?
OVERLORD commented 2025-10-07 00:15:29 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@simono41 Thanks, I've checked it out but it seems Homarr doesn't use the profile pictures of the OIDC provider.

@stonith404 commented on GitHub: @simono41 Thanks, I've checked it out but it seems Homarr doesn't use the profile pictures of the OIDC provider.
OVERLORD commented 2025-10-07 00:15:30 +03:00
Author
Owner
Copy Link

@simono41 commented on GitHub:

@simono41 I've tried Homarr 1.0 and also looked into the code but I don't think they support it. Are you sure that the profile image was taken from the OIDC provider. Which OIDC provider do you use?

I'm sorry

I thought they would support this because I can't upload a profile picture there. I looked again on the internet and with Gitlab it should be possible by having the profile picture as a URL (i.e. publicly available without authentication) in the user info, but it can also be included in the ID token (don't know exactly what that is).

https://docs.gitlab.com/ee/integration/openid_connect_provider.html

@simono41 commented on GitHub: > @simono41 I've tried Homarr 1.0 and also looked into the code but I don't think they support it. Are you sure that the profile image was taken from the OIDC provider. Which OIDC provider do you use? I'm sorry I thought they would support this because I can't upload a profile picture there. I looked again on the internet and with Gitlab it should be possible by having the profile picture as a URL (i.e. publicly available without authentication) in the user info, but it can also be included in the ID token (don't know exactly what that is). https://docs.gitlab.com/ee/integration/openid_connect_provider.html
OVERLORD commented 2025-10-07 00:15:30 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@simono41 Thanks. Yeah the profile picture URL is accessible without authentication. In GitLab this makes sense as the profile picture can be viewed without an account.

However, since Pocket ID is not a public service, it probably makes more sense to protect the profile picture endpoint. The challenge I’m facing is figuring out the best way to secure it, especially since I’m not entirely sure how clients will be accessing the profile pictures.

@stonith404 commented on GitHub: @simono41 Thanks. Yeah the profile picture URL is accessible without authentication. In GitLab this makes sense as the profile picture can be viewed without an account. However, since Pocket ID is not a public service, it probably makes more sense to protect the profile picture endpoint. The challenge I’m facing is figuring out the best way to secure it, especially since I’m not entirely sure how clients will be accessing the profile pictures.
OVERLORD commented 2025-10-07 00:15:30 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@acidRain-burns Thanks for the example. The application downloads the image on sign in. If you have other examples it would be great if you can share them.

If every client application downloads the profile image on sign in, I could just create a link that's only valid for a short time period. But I suspect that there are client applications that directly use the profile picture URL without downloading the image.

@stonith404 commented on GitHub: @acidRain-burns Thanks for the example. The application downloads the image on sign in. If you have other examples it would be great if you can share them. If every client application downloads the profile image on sign in, I could just create a link that's only valid for a short time period. But I suspect that there are client applications that directly use the profile picture URL without downloading the image.
OVERLORD commented 2025-10-07 00:15:31 +03:00
Author
Owner
Copy Link

@acidRain-burns commented on GitHub:

Personally, I'm not too concerned about the profile pictures being publicly available; but all my services have access to the same private network and reverse proxy.

Sorry this took so long to respond to though; I can track down a few more but here is how KitchenOwl does the import: 8da1fb8aa3/backend/app/controller/auth/auth_controller.py (L386)

Let me know if you need more / different examples.

@acidRain-burns commented on GitHub: Personally, I'm not too concerned about the profile pictures being publicly available; but all my services have access to the same private network and reverse proxy. Sorry this took so long to respond to though; I can track down a few more but here is how KitchenOwl does the import: https://github.com/TomBursch/kitchenowl/blob/8da1fb8aa33ef09d4b2ab56d05a9464c1fe49e2f/backend/app/controller/auth/auth_controller.py#L386 Let me know if you need more / different examples.
OVERLORD commented 2025-10-07 00:15:31 +03:00
Author
Owner
Copy Link

@33Fraise33 commented on GitHub:

2 things that pop up:

  1. Maybe use the gravatar profile picture if none are set (available by user email)
  2. Allow the user to provide a url to the profile picture which is then directly provided in the oidc request, if it is copied it will be downloaded to the oidc client, if it is not it will use the external url as the profile picture, not relying on pocket id as the image provider.
@33Fraise33 commented on GitHub: 2 things that pop up: 1. Maybe use the gravatar profile picture if none are set (available by user email) 2. Allow the user to provide a url to the profile picture which is then directly provided in the oidc request, if it is copied it will be downloaded to the oidc client, if it is not it will use the external url as the profile picture, not relying on pocket id as the image provider.
OVERLORD commented 2025-10-07 00:15:32 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@helmut72 Is jpegPhoto an actual image or a link?

@stonith404 jpegPhoto from ldap is the actual image data itself stored in ldap as far as i know.

Ill test this feature later today once i get back home.

@kmendell commented on GitHub: > [@helmut72](https://github.com/helmut72) Is `jpegPhoto` an actual image or a link? @stonith404 jpegPhoto from ldap is the actual image data itself stored in ldap as far as i know. Ill test this feature later today once i get back home.
OVERLORD commented 2025-10-07 00:15:32 +03:00
Author
Owner
Copy Link

@helmut72 commented on GitHub:

Nextcloud also supports profile picture from OIDC. Have tried it with Zitadel.

Would be cool if profile picture is used from jpegPhoto attribute if LDAP is used for user management. Then, user does have a single place to change his profile picture.

@helmut72 commented on GitHub: Nextcloud also supports profile picture from OIDC. Have tried it with Zitadel. Would be cool if profile picture is used from `jpegPhoto` attribute if LDAP is used for user management. Then, user does have a single place to change his profile picture.
OVERLORD commented 2025-10-07 00:15:33 +03:00
Author
Owner
Copy Link

@acidRain-burns commented on GitHub:

I'd like it if pocket could supply the picture, but being able to set another URL works too. It might be too many options to have both, so if I had to chose only one I'd pick letting users upload them, but I think your suggestion is a great one @33Fraise33; I know I can make it work for my deployment.

@acidRain-burns commented on GitHub: I'd like it if pocket could supply the picture, but being able to set another URL works too. It might be too many options to have both, so if I had to chose only one I'd pick letting users upload them, but I think your suggestion is a great one @33Fraise33; I know I can make it work for my deployment.
OVERLORD commented 2025-10-07 00:15:33 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@helmut72 Is jpegPhoto an actual image or a link?

@stonith404 commented on GitHub: @helmut72 Is `jpegPhoto` an actual image or a link?
OVERLORD commented 2025-10-07 00:15:33 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I'm almost done. In case someone wants to test it you can use the ghcr.io/pocket-id/pocket-id:development image.

@stonith404 commented on GitHub: I'm almost done. In case someone wants to test it you can use the `ghcr.io/pocket-id/pocket-id:development` image.
OVERLORD commented 2025-10-07 00:15:34 +03:00
Author
Owner
Copy Link

@helmut72 commented on GitHub:

@helmut72 Is jpegPhoto an actual image or a link?

jpegPhoto is a base64 encoded attribute:
https://www.openldap.org/faq/data/cache/165.html

@helmut72 commented on GitHub: > [@helmut72](https://github.com/helmut72) Is `jpegPhoto` an actual image or a link? jpegPhoto is a base64 encoded attribute: https://www.openldap.org/faq/data/cache/165.html
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#452
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?