Only use display name from JWT

I use JWT auth only and do not have guest users. Is it possible to insist that only names that are set in JWT be used as display names?

I have disabled profiles, but I need the preJoin page enabled and users are still able to change their display name on that page:

Perjoin_page

That field is pre-populated with the name from JWT, and changing it before joining would change Display Name in the meeting.

Is there a built-in option to remove that field or make it read-only?

I would hide that field using CSS.

Also, are you sure your display names are being changed? If so, hiding that field would only help with the user’s display side of things. Users could always change their display names using other client-side mechanisms.

You really want to squash any changes to display names that are not solely coming from the JWT (since that’s your primary identity provider) on the server side.

I seem to remember seeing code in a Prosody module that did just that. I would have to go look for it, but I know it’s there.

Here it is. It’s part of the mod_presence_identity mod:

2 Likes

Yup. I confirmed that changing made in that field is visible to other users. Indeed hiding that field will only obfuscate things but will not stop a resourceful Mr Sneaky. A server side solution would be the way to go.

Nice! I’ll have a play and see if I can make it work. Thanks!

1 Like

Didn’t get a change to actually grok what the module does, but I did blindly enable it. Alas, it doesn’t seem to do what I wished it would do; display names set in JWT could still be overriden from the prejoin page.

I had a quick look at the presence stanza being sent to clients, and noted that identity.user.name remains intact and matches what was in JWT, and it is the nick attribute that is modified and affects what is displayed.

Could it be that I’d need a custom module that forces nick to the user name provided in identity?

1 Like

That’s what I would do. Force nick to match identity.user.name.

1 Like

Ended up with the following module that is based on (but independent of) mod_presence_identity:

The module essentially replaces the nick tag in the presence stanzas using the name from user context. If a user manages to submit a nick change, they may still see their modified name locally but all participants only sees the name as was set in the users JWT.

To avoid confusion on the UI, for now I’ve just hacked it with a custom CSS the name field is not editable by default:

.premeeting-screen .prejoin-input-area input.field {
    pointer-events: none;
}

Works-ish, but at a better long term solution would be to actually change the UI to remove the input field and simply display the name.

2 Likes

@shawn Nice job!

@corby Thanks :beers: