I found a potential deal breaker regarding user picture handling.
Here is the scenario:
- User A wants to see the profile of User B
- User B’s picture is not found (404 error).
While investigating, I looked into the Auth0 database and the information stored for User B.
I found that the picture URL stored in Auth0 is expired.
Afterwards I logged User B in my application, and I looked into the URL stored in Auth0 again, this time, the URL changed to the right one:
- My application retrieves the user picture using this API endpoint:
=> How do I ensure that the picture URL returned by Auth0 is always up to date?
=> It impossible to expect other users to Login regularly for their picture to be up to date. It should be possible to see other users pictures whether they recently login or not.
=> Please help this is a very serious problem. Thank you
I haven’t seen any documentation that confirms this, but I suspect a given user’s imported attributes (like picture, from social media or gravatar) are only updated when that user logs in. Technically it should be possible to poll external resources for changes, but the computing resources required to do so would be substantial. This might be a useful feature to add for Auth0 customers running private instances.
As an alternative, your application could store its own photo under
user_metadata, and your app could include a process for keeping these images up to date.
I see what you mean, but this problem is aggravated by the fact that the picture URL is out of date even if the users have not changed their profile picture in social media. The Auth0 picture URL is somehow out of date if the user hasn’t logged in regularly (I’m not sure what login frequency is exactly required), regardless if the users has changed his profile picture or not. So this is bound to happen extremely frequently.
I have the same issue, and with linked profiles, so the normalised “picture” property is set to an expired Facebook URL even if the user logs in with a different connection. We can blame Facebook for the policy of expiring URLs, but Auth0 should provide a sensible default. In this case, either not display Facebook URLs at all as “normalised”, or at least prefer other connections.
Or why not just use the Graph API url as in this Rule? https://github.com/auth0/rules/blob/master/src/rules/facebook-custom-picture.js
Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.
Wanted to reach out to know if you still require further assistance?