As helix is the only API allowed for extensions, I have to get some token to get linked user name.
There is some kind of [token.payload] passed to onAuthorized, but unfortunately it doesn’t accepted as good token.
Is it possible to get user name without having to dealing with generating JWT on backend?
No.
This example describes a method to do what you are after
The JWT from the extension is passed to the EBS
The EBS generates an App Access Token/Client Credentials token
And uses the UserID from the JWT + the App Access Token to lookup the user on the API.
TLDR: you need an EBS
You mis intrepreted what I wrote on the thread you necro’ed
Use of kraken would likely result in a deny, because it’s use is deprecated.
And you can’t call helix without an access token that you can’t generate in an extension front end to use with the API
The only call I need for my extension is getUserByID 
And I don’t want to be denied, that’s why I interpreted your message this way.
Then you need an EBS.
If it passed verification, then your extension will break when Kraken gets removed.
And since the review team knows Kraken will be removed.
That would be probably why they would deny the extension that uses Kraken calls.
I understand. And thank you for your good example. Unfortunately I don’t use node.js 
You can use any language to run an EBS with.
It’s in NodeJS to just be a somewhat simple example.
Since everyone knows Javascript since you need Javascript to make calls in an extension anyway.
Yep, I just don’t want to use fat libraries with tons of dependencies for JWT. But I just found good 10-code-rows realisation. Thanks and have a nice day!
I’m feeling so foolish. I thought there is need of JWT generation, but I just found out that Extension has its own usual secret, so I can just make ordinary API requests. What the point generating JWT then?
You decode the JWT from your frontend, to extract the userID in the JWT.
You only need to generate a JWT if using Extension Pubsub or the Config Service.
Sorry, was confused by phrase “EBS generates an App Access … token”. It actually gets it from Twitch (as always). Your code was helpful to figure out it.