SSO 与外部头像

mentalstring · 2021 年6 月 2 日 11:44

When using SSO with sso overrides avatar: true, Discourse seems to download the avatar and always serve it locally instead of linking directly to the URL provided.

Would it make more sense to allow avatars to serve directly from the avatar_url provided? As is, for each avatar shown it hits Discourse backend somewhat needlessly. Perhaps this could be a SSO option?

If the concern is that avatars may go missing, that could be handled with the image onerror event that fallback’s src to the locally downloaded copy (or show a default one). What I don’t know is if too large avatars images can be constrained with CSS alone.

DrewH · 2021 年6 月 2 日 14:05

I believe disabling download_remote_images_to_local should solve your issue, although this will also serve images within posts remotely instead of locally.

mentalstring · 2021 年6 月 2 日 14:44

That seems to be only for images in posts — or perhaps for local avatar too, when they are not overwritten by SSO.

DrewH · 2021 年6 月 2 日 14:49

Interesting. I know that the OIDC Plugin allows you to override email on every login, maybe something like this would be possible for avatar’s being overwritten by SSO as well.

Falco · 2021 年6 月 2 日 16:24

If the SSO avatar is in the format of https://central.avatar.service/<username> you can use the external_system_avatars_url site setting to get this feature.

mentalstring · 2021 年6 月 2 日 17:14

It’s not in our case (they are served from S3) — and it’s unlikely to usually be in that format so that it can be efficiently cached.

mentalstring · 2024 年2 月 19 日 10:52

两年后对此进行跟进，因为我认为我之前误解了某些内容，但我仍然认为这里有一个简单的性能提升机会。

以前我认为头像存储在本地（Discourse 服务器本身），并且想知道为什么它们不直接从 SSO 外部头像 URL 提供服务，而是命中 Discourse。但是，在进行一些检查后，我现在看到来自 SSO 的外部头像已经上传到对象存储（例如 S3）并具有所需的多种尺寸。

所以，如果我理解正确，目前 Discourse 正在将头像从对象存储代理到客户端。但是，这种行为似乎仅限于使用 SSO 外部头像时，因为这里的头像来自（CDN 化的）对象存储。但是，当使用带有外部 URL 的 SSO 时，头像 URL 的形式为

https://discourse-host/user_avatar/discourse-host/{username}/{size}/{uploadid}_{version}.png

其中每次显示头像时都会命中 rails（在被客户端缓存之前）。

而且，如果我理解代码，甚至还有一个设置允许重定向而不是代理，但那时它已经命中 rails，并且重定向只会增加客户端的加载时间。

github.com/discourse/discourse

app/controllers/user_avatars_controller.rb

a64f558f3


      
          elsif upload && optimized = get_optimized_image(upload, size)
            if optimized.local?
              optimized_path = Discourse.store.path_for(optimized)
              image = optimized_path if File.exist?(optimized_path)
            elsif GlobalSetting.redirect_avatar_requests
              return redirect_s3_avatar(Discourse.store.cdn_url(optimized.url))
            else
              return proxy_avatar(Discourse.store.cdn_url(optimized.url), upload.created_at)
            end
          end

直接将头像链接到对象存储（可能从 CDN 提供服务）而不是同时释放一些 rails 资源，岂不是更快？/cc @Falco

Falco · 2024 年2 月 19 日 16:29

并非如此。默认情况下，Discourse 会代理头像请求，就像你在你的站点上看到的那样。

但是，去年我们引入了一个可以通过环境变量 DISCOURSE_REDIRECT_AVATAR_REQUESTS=1 启用的设置，以触发你在这里看到的行为。

话题		回复	浏览量
Allow polling avatar from URI Feature	2	454	2023 年9 月 24 日
Is it possible to "hotlink" SSO avatars? SSO	5	2474	2016 年5 月 28 日
SSO avatar not updating when using URLs from my site SSO	3	1597	2018 年10 月 16 日
Avatars not pulling from SSO SSO	10	2046	2019 年4 月 29 日
Can't get avatar overrides to work over SSO Support	3	2444	2024 年6 月 8 日

SSO 与外部头像

相关话题