Auto-populate user names and avatars not working with tokens

I have jitsi-meet working with token authentication as follows:

  1. vouch-proxy handles the authentication and it is able to retrieve and pass along the user’s id, name, email, and avatar url
  2. Within the nginx configuration I generate the Jitsi JWT from the values passed by vouch-proxy (this uses a small lua script to do the base64 and hmac encoding)
  3. When users access a room, they are automatically redirected to /room?jwt=... if they don’t already have jwt=... in their URL

I can see in the JavaScript console that the token= is being sent and loaded it up in and it does parse correctly and validates. An example of the payload is:

  "iss": "jitsi-gather",
  "aud": "jitsi",
  "sub": "",
  "room": "*",
  "exp": 1592903035,
  "user": {
    "id": "123456789024680",
    "name": "Jeffrey Bush",
    "email": "",
    "avatar": ""

However, the user doesn’t have a name or avatar. Just called “me” and if I go into chat it says I must provide a nickname. The token authentication is fully enabled in Prosody since if I disable step 3 above (where is adds the ?jwt= to the URL) then I am prompted for a login. I assume that is not only occurring on the client side but the client is reacting to a failed anonymous login from the server.

I have checked all of the logs (prosody, jicofo, jvb, nginx, and vouch) and nothing besides “info” level messages (and the few expected warnings). No suspicious messages in the JavaScript console either.

I don’t even know where to start debugging this since I have no idea if it is the client (jitsi-meet/lib-jitsi-meet) or the server (prosody) that normally sets the user name (I found evidence in both places: jitsi-meet and prosody).

What may I have done wrong? Where should I be looking next? Thanks.

It is

"context": {
    "user": {

Wow, so simple! Thanks for being able to see that so easily! Working now. Next I am going to try to pass the JWT through a different way (while still allowing the ?jwt=).

Does the JWT get used at all in the client side? Or can I simply inject the token=... argument into the http-bind calls?

Actually, it looks like the URL is automatically cleaned up:

I thought it wasn’t before, but that may have been when I was still mucking with the authentication.