Design and Implementation of a Token‑Based Authentication System Using OAuth2 and JWT

1 Terminology

Third‑party application: a client application that accesses protected resources.

HTTP service: the service provider offering HTTP‑based APIs.

Resource Owner: the end user who owns the data.

User Agent: the browser acting on behalf of the user.

Authorization server: the server that handles authentication and issues tokens.

Resource server: the server that stores user‑generated resources and validates tokens.

2 R&D Background

In monolithic applications, permission checks are performed centrally and user information is stored in server‑side sessions. With the rise of RESTful APIs and micro‑services, token‑based authentication has become prevalent because tokens embed user data and enable stateless verification.

Server‑side statelessness: the token contains all necessary user information, eliminating session storage.

Performance: token validation avoids database or remote calls, improving response speed.

Mobile support: tokens work across domains and devices, unlike cookies.

3 R&D Goals

Provide a standardized, secure authentication flow that allows heterogeneous systems and services to integrate seamlessly with unified identity verification.

User submits login credentials (or calls a token endpoint) to the authentication service.

The service validates the credentials and returns a token containing user info, permissions, and expiration.

The client includes the token in the HTTP Authorization header for subsequent API calls.

The called micro‑service validates the token.

The service returns the requested resources.

4 Technical Selection

System authorization follows the OAuth2 password‑grant flow.

Tokens are formatted as JWT.

OAuth Open Authorization

OAuth defines a secure, open standard that lets third‑party applications obtain limited access to user resources without exposing user passwords.

Main OAuth grant types

Authorization Code: used between client and server applications.

Implicit: suited for mobile or web apps where the token is returned directly to the browser.

Password: trusted applications collect user credentials and exchange them for a token.

Client Credentials: the client authenticates on its own behalf, not on behalf of a user.

JSON Web Token (JWT)

JWT is a compact, URL‑safe token format (RFC 7519) designed for transmitting claims between identity providers and service providers, ideal for single‑sign‑on and distributed systems.

5 Authentication Process Logic

System Authorization

The third‑party client sends its client ID/secret and user credentials to the authorization server to obtain an access token.

The server issues the access token to the client.

System Authentication

The client presents the access token to the resource server, which validates the token, the client credentials, and the resource owner, then grants access based on the embedded claims.

When the token expires, the client can refresh it.

6 API Design

Authorization Credential API

Clients submit their client ID/secret and resource‑owner credentials to obtain an access token.

Client credentials are generated after the third‑party application passes registration review.

Authorization Credential Renewal API

Clients submit a refresh token to obtain a new access token.