User avatar with customer oauth?


We are using a self-hosted Keycloak as our oauth server, which works well enough for login. The issue is that we don’t see the user’s avatar image provided. The settings for the custom oauth provider:

url: https://keycloak-test.example/auth
token path: /realms/master/protocol/openid-connect/token
token sent via: Header
identity token sent via: Same as “Token Sent Via”
identity path: /realms/master/protocol/openid-connect/userinfo
authorization path: /realms/master/protocol/openid-connect/auth
scope: openid
param name for access token: access_token
id: rocket-chat-client
username field: preferred_username
Roles/Groups field name: groups
avatar field: picture
user data group map:
Map Roles/Groups to channels: false
Merge Roles from SSO: false
Merge users: false
Show Button on Login Page: true

Example response from https://keycloak-test.example/auth/realms/master/protocol/openid-connect/userinfo :

  "sub": "34218f1b-06d9-4afd-a9dd-4421b23b183a",
  "email_verified": true,
  "name": "Albert Einsetin",
  "groups": [
  "preferred_username": "lightrider",
  "given_name": "Albert",
  "family_name": "Einstein",
  "picture": "",
  "email": "lightrider@example"

Server Setup Information

  • Version of Rocket.Chat Server: 3.11.1
  • Operating System: Ubuntu 18.04 LTS
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:
  • Proxy: nginx
  • Firewalls involved:

Any additional Information

The first thing to do is test it on the latest version - currently 3.13.1

Things move so fast that this could have been fixed already!

A good search in GitHub issues, both open and closed, is worth doing as well. I am sure I have seen something similar before but don’t remember where.

I’ll keep my eyes open for it.

Thanks for the reply. I’ll be sure to do both. Just one thing, and is the avatar sync meant to be done at the start of any new oauth session or at only specific points of the lifecycle? Also, which source file should I probably be looking at and how would I enable debug logging?

Have updated to latest server, but not seeing a difference. Also, the closest I saw was the following ticket, but based on the last response it is unclear whether it was fully resolved:


Looks like that was merged at 1.0 but might still be problematic.

Have a good hunt in issues, both open & closed.

If it still exists we may need a new bug.