Avatar Image Access Forbidden by IMAP?

I will begin by saying I’m still quite new to the support process/system, so please let me know if I should be taking this to github or someplace else.

Here’s my environment:
Nextcloud version: '27.1.4`(Just upgraded today)

Operating system and version: Ubuntu 22.04.02 LTS
Apache or nginx version: Apache/2.4.52 (Ubuntu)
PHP version: PHP 8.2.12 (cli)
Database: mysql 10.6.12
Login Method: User External IMAP

The issue you are facing:
The short version of the issue is that the image avatar picture is not showing for any user when searching for a contact in the upper right hand corner of the web interface.
EDIT: Users without a picture DO NOT correctly show the first letter of their name.
EDIT: Contacts DO show correctly (picture or first letter of name).
EDIT: It appears to be connected to CardDAV, IMAP authentication, and/or System Address Book.
More details from my tests are below.

Is this the first time you’ve seen this error? (Y/N): Y - sort of. I started noticing it after upgrading to NC 27 and using the new shared contact list.

Steps to replicate it:

  1. Click on the contact search button and search for a user with a profile picture.

  2. The picture says “Avatar of [User Name]”. Example:
    AvatarMissing

  3. Testing further, I copied the image url and pasted it in another browser tab. Example: https://my.nextcloud.installation/remote.php/dav/addressbooks/system/system/system/OCA/UserExternal/IMAP:admin.vcf?photo&size=32
    The result:
    AccessForbidden

The output of your Nextcloud log in Admin > Logging:

EDIT: No Errors or warnings. (I found and resolved the previous error posted.)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'removed',
  'passwordsalt' => 'removed',
  'secret' => 'removed',
  'trusted_domains' => 
  array (
    0 => 'my.nextcloud.installation',
  ),
  'overwrite.cli.url' => 'http://my.nextcloud.installation',
  'htaccess.RewriteBase' => '/',
  'datadirectory' => '/var/www/html/nextcloud/data',
  'objectstore' => 
  array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => 
    array (
      'bucket' => 'removed',
      'autocreate' => true,
      'key' => 'removed',
      'secret' => 'removed',
      'hostname' => 'removed',
      'region' => 'removed',
      'port' => removed,
      'use_ssl' => true,
      'use_path_style' => true,
    ),
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shared with Me',
  'dbtype' => 'mysql',
  'version' => '27.1.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'removed',
  'dbpassword' => 'removed',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'redis' => 
  array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
    'password' => '',
    'timeout' => 1.5,
  ),
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\TXT',
    1 => 'OC\\Preview\\MarkDown',
    2 => 'OC\\Preview\\OpenDocument',
    3 => 'OC\\Preview\\PDF',
    4 => 'OC\\Preview\\MSOffice2003',
    5 => 'OC\\Preview\\MSOfficeDoc',
    6 => 'OC\\Preview\\Image',
    7 => 'OC\\Preview\\Photoshop',
    8 => 'OC\\Preview\\TIFF',
    9 => 'OC\\Preview\\SVG',
    10 => 'OC\\Preview\\Font',
    11 => 'OC\\Preview\\MP3',
    12 => 'OC\\Preview\\Movie',
    13 => 'OC\\Preview\\MKV',
    14 => 'OC\\Preview\\MP4',
    15 => 'OC\\Preview\\AVI',
  ),
  'remember_login_cookie_lifetime' => 1296000,
  'session_lifetime' => 86400,
  'session_relaxed_expiry' => false,
  'session_keepalive' => true,
  'auto_logout' => false,
  'default_language' => 'en_US',
  'default_locale' => 'en_US',
  'default_phone_region' => 'en_US',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'removed',
  'mail_domain' => 'removed',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'removed',
  'mail_smtpport' => 'removed',
  'mail_smtpname' => 'removed',
  'mail_smtppassword' => 'removed',
  'maintenance' => false,
  'simpleSignUpLink.shown' => false,
  'user_backends' => 
  array (
    0 => 
    array (
      'class' => '\\OCA\\UserExternal\\IMAP',
      'arguments' => 
      array (
        0 => 'my.email.server',
        1 => 993,
        2 => 'ssl',
        3 => 'email.server',
        4 => true,
        5 => true,
      ),
    ),
  ),
  'theme' => '',
  'loglevel' => 0,
  'knowledgebaseenabled' => false,
  'updater.secret' => 'removed',
);

The output of your Apache/nginx/system log in /var/log/____:

EDIT: No Errors Found (I found/resolved the other errors previously posted.)

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

EDIT: No Errors or Warnings (I found and resolved previously posted error.)

EDIT: More Details
The user and corresponding image appear correctly in the Contacts app. The url used to display the image is different:
https://my.nextcloud.installation/remote.php/dav/addressbooks/users/[removed logged in username]/z-server-generated–system/OCA%5cUserExternal%5cIMAP:admin.vcf?photo

The “unauthorized” url does not use the “/users/logged_in_username/z-server-generated–system/” part that is found in this working url from the Contacts app.

try editing your config with:

‘overwriteprotocol’ => ‘https’,
‘overwrite.cli.url’ => ‘https://cloud/’,

Thank you for the help. I noticed that, too.
That change did not help, though.
It appears that my apache conf file was already putting https:// on the front of the image url.

UPDATE:
The image url appears to be malformed.
The two “/” marks on either side of “UserExternal” should be “%5c” to generate “\” instead.

This does not work (produced by the system):
https://my.nextcloud.installation/remote.php/dav/addressbooks/system/system/system/OCA/UserExternal/IMAP:admin.vcf?photo&size=32

This does work (after manually editing it):
https://my.nextcloud.installation/remote.php/dav/addressbooks/system/system/system/OCA\UserExternal\IMAP:admin.vcf?photo&size=32

Does this make it a matter for the folks on github or is this still the right place to ask for help?

Just to keep this forum up to date,
I posted the issue on Github and received a patch solution which fixed my problem.

The details can be found at Bug report #42072

Thanks everyone for your help!