From 12ccc314be7b88c0893bfa1ea5d7f800dddcfd58 Mon Sep 17 00:00:00 2001
From: chrisbaker2000 <chris@withfurther.com>
Date: Thu, 5 Mar 2026 07:26:20 -0500
Subject: [PATCH] feat: display OIDC provider avatar in Console UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Propagate the `picture` claim from OIDC providers (Google, Auth0, etc.)
and `avatar_url` from GitHub through NextAuth's JWT and session callbacks
to `session.user.image`, enabling the existing avatar rendering code in
UserProfileButton to display provider profile photos.

Also remove the explicit exclusion of `googleusercontent.com` URLs in
UserProfileButton — this filter prevented Google Workspace profile
photos from being displayed even if the image URL was available.

Changes:
- nextauth.config.ts: Add `picture` to JWT token from OIDC profile,
  pass through to `session.user.image`
- WorkspacePageLayout.tsx: Remove googleusercontent.com URL filter
  in UserProfileButton avatar rendering
---
 .../console/components/PageLayout/WorkspacePageLayout.tsx | 2 +-
 webapps/console/lib/nextauth.config.ts                    | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/webapps/console/components/PageLayout/WorkspacePageLayout.tsx b/webapps/console/components/PageLayout/WorkspacePageLayout.tsx
index cb9a8fedb..6c15e3f8e 100644
--- a/webapps/console/components/PageLayout/WorkspacePageLayout.tsx
+++ b/webapps/console/components/PageLayout/WorkspacePageLayout.tsx
@@ -339,7 +339,7 @@ const UserProfileButton: React.FC<{}> = () => {
       trigger={["click"]}
     >
       <div className="h-8 w-8 cursor-pointer">
-        {user.image && user.image.indexOf("googleusercontent.com/") < 0 ? (
+        {user.image ? (
           <img className="rounded-full w-8 h-8" src={user.image} about="userpic" alt="" width="100" height="100" />
         ) : (
           <FaUserCircle className="text-primary w-full h-full" />
diff --git a/webapps/console/lib/nextauth.config.ts b/webapps/console/lib/nextauth.config.ts
index a853d4d75..af3cc95e2 100644
--- a/webapps/console/lib/nextauth.config.ts
+++ b/webapps/console/lib/nextauth.config.ts
@@ -163,6 +163,9 @@ export const nextAuthConfig: NextAuthOptions = {
         mustChangePassword: user.mustChangePassword,
         externalUsername: props.profile?.["login"],
         loginProvider: loginProvider,
+        // Propagate avatar from OIDC/GitHub profile to the JWT token.
+        // Google OIDC uses "picture", GitHub uses "avatar_url".
+        picture: props.token.picture || props.profile?.["picture"] || props.profile?.["avatar_url"],
         ...props.token,
       };
     },
@@ -174,6 +177,11 @@ export const nextAuthConfig: NextAuthOptions = {
         loginProvider: token.loginProvider,
         externalId: token.externalId,
         externalUsername: token.externalUsername,
+        // Pass avatar URL to session so UI can render provider profile photos
+        user: {
+          ...session.user,
+          image: (token.picture as string | undefined) || session.user?.image,
+        },
       };
     },
   },