add avatar URL

internal/api/oidc/op.go

@@ -126,6 +126,7 @@ func NewServer(
 		fallbackLogger:      fallbackLogger,
 		hashAlg:             crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
 		signingKeyAlgorithm: config.SigningKeyAlgorithm,
+		assetAPIPrefix:      assets.AssetAPI(externalSecure),
 	}
 	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
 	server.Handler = op.RegisterLegacyServer(server, op.WithHTTPMiddleware(

internal/api/oidc/server.go

@@ -26,6 +26,7 @@ type Server struct {
 	fallbackLogger      *slog.Logger
 	hashAlg             crypto.HashAlgorithm
 	signingKeyAlgorithm string
+	assetAPIPrefix      func(ctx context.Context) string
 }
 
 func endpoints(endpointConfig *EndpointConfig) op.Endpoints {

internal/api/oidc/userinfo.go

@@ -60,7 +60,7 @@ func (s *Server) getUserInfoWithRoles(ctx context.Context, userID, projectID str
 		}
 	}
 
-	userInfo := userInfoToOIDC(userInfoResult.userInfo, scope)
+	userInfo := userInfoToOIDC(userInfoResult.userInfo, scope, s.assetAPIPrefix(ctx))
 	setUserInfoRoleClaims(userInfo, assertRolesResult.projectsRoles)
 
 	return userInfo, s.userinfoFlows(ctx, userInfoResult.userInfo, assertRolesResult.userGrants, userInfo)
@@ -150,7 +150,7 @@ func (s *Server) assertRoles(ctx context.Context, userID, projectID string, scop
 	}
 }
 
-func userInfoToOIDC(user *query.OIDCUserInfo, scope []string) *oidc.UserInfo {
+func userInfoToOIDC(user *query.OIDCUserInfo, scope []string, assetPrefix string) *oidc.UserInfo {
 	out := new(oidc.UserInfo)
 	for _, s := range scope {
 		switch s {
@@ -159,7 +159,7 @@ func userInfoToOIDC(user *query.OIDCUserInfo, scope []string) *oidc.UserInfo {
 		case oidc.ScopeEmail:
 			out.UserInfoEmail = userInfoEmailToOIDC(user.User)
 		case oidc.ScopeProfile:
-			out.UserInfoProfile = userInfoProfileToOidc(user.User)
+			out.UserInfoProfile = userInfoProfileToOidc(user.User, assetPrefix)
 		case oidc.ScopePhone:
 			out.UserInfoPhone = userInfoPhoneToOIDC(user.User)
 		case oidc.ScopeAddress:
@@ -192,14 +192,14 @@ func userInfoEmailToOIDC(user *query.User) oidc.UserInfoEmail {
 	return oidc.UserInfoEmail{}
 }
 
-func userInfoProfileToOidc(user *query.User) oidc.UserInfoProfile {
+func userInfoProfileToOidc(user *query.User, assetPrefix string) oidc.UserInfoProfile {
 	if human := user.Human; human != nil {
 		return oidc.UserInfoProfile{
-			Name:       human.DisplayName,
-			GivenName:  human.FirstName,
-			FamilyName: human.LastName,
-			Nickname:   human.NickName,
-			// Picture:    domain.AvatarURL(o.assetAPIPrefix(ctx), user.ResourceOwner, user.Human.AvatarKey),
+			Name:              human.DisplayName,
+			GivenName:         human.FirstName,
+			FamilyName:        human.LastName,
+			Nickname:          human.NickName,
+			Picture:           domain.AvatarURL(assetPrefix, user.ResourceOwner, user.Human.AvatarKey),
 			Gender:            getGender(human.Gender),
 			Locale:            oidc.NewLocale(human.PreferredLanguage),
 			UpdatedAt:         oidc.FromTime(user.ChangeDate),