Use Identity Provider token to access provider's API

Hey Guys, Is it possible to get the profile picture of the user signed in with an Identity Provider?

I am using an Identity Provider to get a token for my authorization server, so I am not sure if I can use that token to access the providers API , say Google’s for example.

Any help would be appreciated, if you can link me a guide or docs that would be even better :smiley:

Are you using Okta, or are you just asking a general question?

Yes I am using okta.

You could use the profileUrl field to store an image reference in it. Otherwise, you could add a custom attribute that’s named profilePic or something like. We only store JSON, but you could encode it and then reference it in an <img> tag.

<img src="data:image/jpeg;base64,{{image-data-stored-in-custom-attribute}}">

And can I use the token I get from the Identity Provider to get the picture from the user’s provider profile?

Yes, you can. You have to configure your authorization server to include the claim in your tokens though. Here’s how to include groups in a token. I’m pretty sure you can do the same with custom attributes.

Log in to your Okta tenant, then navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” or “roles”, and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of .*.