SSO based avatars and connecting with Users

So been trying to use a picture claim in our OIDC JWT that is a URL to an image store without additional authentication. We use Entra so normally userinfo points to the graph endpoint and without adding a bearer token that will fail.

Looking at omniauth for oidc it seems like picture is added to the user so been toying with that.

First off we needed to spoof discovery doc to remove the userinfo endpoint which allows for the JWT claims to be accessible versus only what is in userinfo. This seems to work well based on content in the associated_user_accounts table and verbose OIDC log events I can see the picture claim is verified and stored.

I can see indications in uploads table that the the import_url_for_user seems to be working, but the “user_avatar///.png” is a dead end.

I have toyed with the Discourse Connect avatar settings and I don’t think this model counts as external system, but tried that as well. I also have added the avatar server domain name to the “internal host” list as we were thinking ssrf, but doesn’t seem to be the case. For users I see that “Custom Picture” is enabled, but the link appears broken so not sure if its trying and just can’t turn the corner.

Anyone had some success here on using JWT claims to provide the avatar URL and maybe can call out what i am missing? Is there some debugging around user_avatar that i can dig into that might shed some light?