Setting avatar using JWT token

All my users are authenticated using JWT token, and names and avatars are set in the token.

The names show up correctly for everyone, unfortunately avatars are not appearing for everyone but the user.

In other words, with avatars set up in everyone token, users see their own avatar but see the initials badge for everyone else. For example:

Am I missing a setting somewhere?

In config.js I typically have disableProfile: true so users cannot manually change their name, but temporarily setting this to false does not solve the issues with avatar.

Can you show a sample of your jwt masking private information?

Sure.

The payload of my jwt looks like this:

{
  "context": {
    "user": {
      "name": "Shawn Chin",
      "email": "shawn@example.com",
      "avatar": "https://i.ibb.co/n3Vk0Kv/66.jpg",
      "id": "a1b2c3-d4e5f6-0abc1-23de-abcdef01fedcba"
    },
    "group": "a123-123-456-789"
  },
  "aud": "audience",
  "iss": "issuer",
  "sub": "*",
  "room": "MyRoom",
  "exp": 1700006923
}

OK, I think I found the issue. I’ve set disableThirdPartyRequests: true because I need to restrict access to any third party sites (e.g. gravatar, analytics, etc).

Unfortunately, it appears that flag stops the loading of all avatars. Not only is gravatar not used, avatars urls assigned to participant and the Jigasi participant icon are also not loaded.

Is it safe to assume this is a bug and not an intended behaviour? Can’t imagine having to forfeit avatars altogether just because one needs to control access to external apps.

Well that is also third-party request, the jigasi icon is strange … that is a bug though

Well that is also third-party request

You’re right. Even if the urls reference endpoints I have control over, technically they are outside of the Jitsi meet setup.

So if need to keep using avatars is the recommendation to leave disableThirdPartyRequests to false and limit access to external apps in a different way? e.g if I replace gravatarBaseURL and make sure I don’t set up google analytics or callstats, then jitsi meet won’t make any requests out?

the jigasi icon is strange … that is a bug though

Well, to be honest I cannot confirm that since I don’t use Jigasi. I merely inferred that from the code so I could very well be mistaken.

I surmised that AVATAR_CHECKER_FUNCTIONS is only referenced by getFirstLoadableAvatarUrl and calls to getFirstLoadableAvatarUrl are always predicated by if(!disableThirdPartyRequests ...).

Whether I set " disableThirdPartyRequests" true or false, external Avatars are not working right now. Is this correct? Here is my token:

{
  "context": {
    "user": {
      "id": "hw",
      "name": "Hans Wurst",
      "avatar": "https://avatar.source/media/hw.png"
    }
  },
  "aud": "jitsi",
  "iss": "AppId",
  "sub": "jitsi.domdom.net",
  "room": "*",
  "moderator": true
}

Sure my token uses a valid avatar :slight_smile:. Here is my current setup:

jitsi-meet/stable,now 2.0.5390-3 all [installed]
jitsi-meet-prosody/stable,now 1.0.4628-1 all [installed,automatic]
jitsi-meet-tokens/stable,now 1.0.4628-1 all [installed]
jitsi-meet-turnserver/stable,now 1.0.4628-1 all [installed,automatic]
jitsi-meet-web/stable,now 1.0.4628-1 all [installed,automatic]
jitsi-meet-web-config/stable,now 1.0.4628-1 all [installed,automatic]
jitsi-videobridge2/stable,now 2.1-416-g2f43d1b4-1 all [installed,automatic]

do you see any CORS related errors in you dev console?

Jitsi Meet uses fetch() calls to pre-load avatar images, so if the server hosting the image does not set set the appropriate Access-Control-Allow-Origin headers the the images will fail to load.

Related issue: Avatar images blocked in the browser by CORS · Issue #8510 · jitsi/jitsi-meet · GitHub

Yeah, my issue was CORS-related. Thank you!