Native Profile Photo Synchronization via SSO (OIDC/Microsoft Graph)

Feature Requests Password Manager
, , , ,
1

Is your feature request related to a problem? Please describe.

In enterprise environments using SSO (Microsoft Entra, Okta, etc.), users expect a seamless transition between their Identity Provider (IdP) and their service providers. Currently, Bitwarden relies on Identicons, leaving the UI with generic letter-based icons. This makes the “Admin Console > Members” list and the “Account Switcher” less intuitive for organizations with hundreds of users.

Describe the solution you’d like I propose that Bitwarden Server (and subsequently the clients) supports fetching and serving user profile photos directly from the configured SSO provider.

1. Backend Synchronization (Server-side)

  • OIDC Standard: During the SSO callback, the server should check for the standard picture claim.

  • Microsoft Graph API Integration: For Microsoft Entra ID, provide an optional configuration to fetch the user’s high-resolution photo via the Graph API (/users/{id}/photo/$value) using the access_token granted during login.

  • Storage & Caching: Store the binary data in the Bitwarden database (or blob storage) as part of the User profile, similar to how user metadata is handled during Directory Sync.

2. API & Client Integration

Instead of patching individual client UIs, Bitwarden should provide a native way to serve these avatars:

  • Identity API: Enhance the /identity/accounts/ response to include a profilePictureUrl.

  • Avatar Proxy: Create a dedicated, authenticated endpoint: https://api.bitwarden.com/user-avatar/{user_id}.

  • Cross-Platform Support: Once the API provides a URL, the Web Vault, Mobile apps, and Desktop clients can natively render the image instead of generating a local Identicon.

3. Administrative UI Enhancement

  • Organization Members List: Display the synced SSO photo in the Organization Admin Console under the Members table. This allows admins to visually verify identities during audits.

  • Personal Profile: Show the synced photo in the top-right account menu across all clients.

Additional context This feature aligns Bitwarden with other enterprise tools (like Slack, Zoom, or Jira) that automatically pull profile data from the IdP.

Proposed Logic:

  1. User logs in via SSO.

  2. Bitwarden Server checks SSOSyncAvatar configuration.

  3. If enabled, Server fetches binary data from the provider (e.g., Graph API).

  4. Server caches/stores the image and updates the user profile metadata.

  5. All Bitwarden clients (Web/Mobile/Desktop) check the profilePictureUrl field; if present and accessible, they render the image instead of an Identicon.