🪪
OIDC Identity Layer
id_token direct verification, cross-app zero-trust identity
OpenID Connect layers identity on top of OAuth 2.1. id_token is JWT with user claims, apps verify locally without calling UM. scope=openid profile email.
example.http
# 请求 id_token(scope 含 openid)
GET /oauth/authorize?
response_type=code&
client_id=YOUR_APP_KEY&
scope=openid%20profile%20email&
...
# token 响应含 id_token
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJ...", // JWT,含用户声明
"scope": "openid profile email"
}
# id_token 载荷(JWT decode)
{
"iss": "https://um.yunjii.cn",
"sub": "umid_8x4k...",
"aud": "YOUR_APP_KEY",
"exp": 1730000000,
"iat": 1729996400,
"nickname": "张三",
"picture": "https://..."
}Core Features
6 core features, each works standalone
Local id_token verify
JWT with user claims, apps verify locally with public key
Standard scopes
openid / profile / email, request fields as needed
Discovery doc
/.well-known/openid-configuration exposes all endpoints
JWKS keys
/oauth/jwks exposes public key set for verification
sub = UMID
id_token.sub is the user's unique Yunjii Stack ID
Nonce anti-replay
Optional nonce returned in id_token
API Endpoints
Via /api/* call the following endpoints
| Method | Path | Description |
|---|---|---|
| GET | /.well-known/openid-configuration | OIDC Discovery document |
| GET | /oauth/jwks | JWKS public key set |
| GET | /oauth/userinfo | UserInfo endpoint |