← Back to products
🪪

OIDC Identity Layer

id_token direct verification, cross-app zero-trust identity

OpenID Connect layers identity on top of OAuth 2.1. id_token is JWT with user claims, apps verify locally without calling UM. scope=openid profile email.

example.http
# 请求 id_token(scope 含 openid)
GET /oauth/authorize?
  response_type=code&
  client_id=YOUR_APP_KEY&
  scope=openid%20profile%20email&
  ...

# token 响应含 id_token
{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJ...",     // JWT,含用户声明
  "scope": "openid profile email"
}

# id_token 载荷(JWT decode)
{
  "iss": "https://um.yunjii.cn",
  "sub": "umid_8x4k...",
  "aud": "YOUR_APP_KEY",
  "exp": 1730000000,
  "iat": 1729996400,
  "nickname": "张三",
  "picture": "https://..."
}

Core Features

6 core features, each works standalone

Local id_token verify

JWT with user claims, apps verify locally with public key

Standard scopes

openid / profile / email, request fields as needed

Discovery doc

/.well-known/openid-configuration exposes all endpoints

JWKS keys

/oauth/jwks exposes public key set for verification

sub = UMID

id_token.sub is the user's unique Yunjii Stack ID

Nonce anti-replay

Optional nonce returned in id_token

API Endpoints

Via /api/* call the following endpoints

MethodPathDescription
GET/.well-known/openid-configurationOIDC Discovery document
GET/oauth/jwksJWKS public key set
GET/oauth/userinfoUserInfo endpoint

Other Products