Providing an option for gravatar to be disabled from universal login pages
Description:
At the moment, there isnt a way to disable the gravatar service from the Auth0 universal login page. While there is a way to disable if you use the auth0-lock library, there isnt one for those using the hosted universal login page.
404s from gravatar are picked up by our website monitoring service as most users do not tend to have a gravatar account registered.
These calls are made during email input on the login page i.e. pre-authentication and pre-login. Therefore neither Rules nor Actions can be used as a workaround to prevent the gravatar service or prevent the 404s being thrown in the browser.
Every user “securely” logs into Auth0 but then gravatar_dot_com and/or wp_dot_com get that login frequency, MAU, etc. My company doesn’t have a business relationship with gravatar nor wp, nor can I consent on behalf of my customers for their information to be disclosed to this 3rd party site they didn’t visit.
Suggestion: Add an Auth0 API endpoint to check if the user has registered avatar. If not, return the default URL to https://cdn.auth0.com/avatars/ds.png where you already host the default image. If a user adds their own (and has explicitly accepted the privacy policies of wp_dot_com and gravatar_dot_com), then the API returns that location and you pull down their custom avatar. That’s a secure, privacy-compliant way of accomplishing your goal.
This would neither leak traffic to a 3rd party site nor introduce a privacy policy compliance issue, since I have a business relationship with Auth0 for the IDS.
