Profile Picture Sync with Authentik (OAuth/OIDC) and API Authentication for Automated Uploads

Hello everyone,

I’m working on integrating our Vikunja instance (running in Docker) with Authentik as our Identity Provider (IdP). User login via OAuth/OpenID Connect from Authentik is already working very well, which is a huge step forward!

My Goal

I’m looking to automatically synchronize user profile pictures managed in Authentik with Vikunja. Since Vikunja doesn’t seem to handle this directly via the OAuth/OIDC login flow, I’m trying to achieve it through the Vikunja API.

My Current Approach (Workaround)

I’ve implemented a Python policy script within Authentik. After successful authentication, this script takes the user’s avatar (stored locally) and attempts to upload it to Vikunja using the /api/v1/user/settings/avatar/upload API endpoint.

For API authentication, I’ve found that Vikunja expects a JWTKeyAuth header scheme. So, I’m trying to use an API key retrieved from Authentik user attributes like this:

Authorization: JWTKeyAuth {api_key}

The Problem

I’m currently getting a 401 Unauthorized error from Vikunja with the message: "missing, malformed, expired or otherwise invalid token provided". This suggests that the token I’m using isn’t being accepted by Vikunja, despite using the JWTKeyAuth type.

My Questions for the Community

1. Profile Picture Synchronization via OAuth/OIDC:
   Is there a recommended or existing way for profile pictures from an external IdP (like Authentik) to be automatically imported into Vikunja during the OAuth/OIDC flow, or via a specific API endpoint that handles this without requiring a separate upload process in my script? Perhaps through a specific scope or a field in the OIDC profile that Vikunja can process?

2. JWTKeyAuth Token for Automated API Uploads:
   If a separate API upload remains the necessary path:

   • What’s the best way to obtain a valid JWTKeyAuth-compatible token for automated API calls (like avatar uploads)?
   • Are Personal Access Tokens (PATs) in Vikunja intended to be used with JWTKeyAuth? Or is there an API endpoint through which I can dynamically generate such a token without needing to perform a full programmatic username/password login for every action (which is often not ideal for a backend script)? The goal is to have a long-lived token that I can store securely in Authentik.

Any guidance and best practices on how to achieve this profile picture synchronization securely and efficiently would be greatly appreciated!

Thanks in advance for your help!

There is an open PR for exactly that: feat(auth): sync avatar from OpenID providers by maggch97 · Pull Request #821 · go-vikunja/vikunja · GitHub

Check out the docs about this here: Vikunja API documentation

You’ll need a Authorization: Bearer <token> header.

Either through the login or via the creation of an api token in the UI.

Yes, but see my caveat about the header above.

Thank you for your help and time. I’ve also tried using the Authorization: Bearer token header. Although my token is valid and I can, for example, retrieve tasks with it, I still get a “401 Unauthorized” error message when trying to upload an image via the /api/v1/user/settings/avatar/upload endpoint. When creating the token, I also selected all available permissions to ensure it’s not due to missing rights.

Could anyone else try to reproduce this or confirm if this functionality is working correctly for them with a similar setup? Any insights or suggestions would be greatly appreciated!

Thanks in advance.

The avatar upload is only available with a JWT (which you can only obtain by logging in) and not with an api token.

Thanks for your reply. Yes, that’s exactly what I meant – that this endpoint only works with a JWT token. Is there a way to generate such a JWT token using an API token and then use that?

No, you’ll need to use the login endpoint and user credentials to get the JWT.