Avatar passed in through SSO is being replaced with generic avatar

We have a community where we have a preset list of default avatars listed in settings. We also have sso_overrides_avatar set to true, and we pass up our own avatar URL when a user logs in through our SSO implementation. However, when users log in through SSO, we are seeing an issue where sometimes they get one of Discourse’s generic avatars instead of the one we specified in the SSO payload.

We are on an instance hosted by Discourse. This started happening around June 24th. We’ve had this setup for two years and have not changed anything on our end, so we suspect it’s due to a recent Discourse update.

This avatar does not match any of the default avatars we specified in our settings, nor the avatar that we passed in. When I look at the SSO information tied to the account, the profile picture URL is correctly listed as the one we passed in, but the visible picture does not match that URL. Note that we also pass up avatar_force_update = true in the payload.

This profile picture URL is the correct URL, but the image on the profile does not match it.

Turns out this is a bug on our end, one or more of the default avatar URLs threw an error, so it would default to a Discourse image.