SSO avatar not updating when using URLs from my site

Hello, I hope someone can help me with this.

I’m using the WordPress discourse plugin with WordPress as my SSO provider. I’m trying to set the avatar_url from a custom user meta field populated with a gravity form.

When I view the logs I can see that the correct avatar_url is coming in with the payload.

Here is the function I’m using to insert the avatar_url into the SSO payload. I’ve also tried using the wpdc_sso_params filter with the same results.

add_filter( 'wpdc_sso_avatar_url', 'gn_use_custom_avatar', 10, 2 );
function gn_use_custom_avatar( $avatar_url, $user_id ) {
    if ( get_user_meta( $user_id, 'user_avatar', true ) ) {
        $avatar_url = get_user_meta( $user_id, 'user_avatar', true );
    }
    return $avatar_url;
}

Stranger still, if I set the $avatar_url to a random image hosted on another site I will see the avatar image update.

I’ve tried using the curl command from my discourse’s docker instance on the avatar URL in the user’s meta and I’m not getting any errors. So, I’m at a loss at how to proceed.

Any idea?

1 Like

Does the WP site have an SSL certificate? (http vs https in the avatar_url)

Is Discourse forcing https? Settings > Security > force https

No SSL certificate on the wordpress site and discourse isn’t forcing https. I’ve tested passing https vs http images hosted on other sites and they always work.

Try pinging the wordpress server from inside the discourse server and see what kind of IP it resolves to.

Discourse has protections against getting abused as a bridge from a public network to internal networks, so if your wordpress SSO is running on a Private network - Wikipedia you will need to add the server to a whitelist, see Whitelisting internal hosts for crawling

2 Likes