Design and Implementation of Token‑Based Authentication Using OAuth2 and JWT

When enterprise applications proliferate, managing user data separately creates information silos; a unified, standardized account management system becomes essential for cloud platforms, enabling single sign‑on, third‑party login, and open ecosystem integration.

Terminology

Third‑party application: also called “client”.

HTTP service: service provider.

Resource Owner: the user who logs in.

User Agent: the browser.

Authorization server: handles authentication.

Resource server: stores user‑generated resources; may be the same as the authorization server.

Research Background

Traditional monolithic apps store session data on the server, while modern RESTful and microservice architectures favor token‑based authentication, which carries user information within the token itself.

Advantages of Token Authentication

Stateless on the server – no session storage needed.

Better performance – token validation avoids extra database or remote calls.

Supports mobile and cross‑application calls – no cookie domain restrictions.

Research Goals

Provide a standard security authentication process that allows heterogeneous or cross‑service systems to integrate flexibly with unified authentication.

Typical Token Authentication Flow

User submits login credentials (or calls a token API) to the authentication service.

The service validates credentials and returns a token containing user info, permissions, and expiry.

The client includes the token in HTTP request headers for subsequent API calls.

The invoked microservice validates the token.

The service returns the requested resources.

Security Function Points

Obtain credentials: the client uses client ID/secret and user credentials to get an access token from the authorization server.

Login authorization: the client presents the access token to the resource server, which validates the token, client credentials, and user identity before granting access.

Access authentication: the resource server checks token validity and permissions, then returns the resource.

Credential renewal: when the access token expires, a refresh token is used to obtain a new access token.

Technical Selection

OAuth2 password‑grant flow for system authorization.

JWT (JSON Web Token) as the token format.

OAuth Open Authorization

OAuth provides a secure, open standard for third‑party access without exposing user passwords. The four main grant types are authorization code, implicit, resource‑owner password credentials, and client credentials.

JSON Web Token (JWT)

JWT is a compact, URL‑safe token format defined by RFC 7519, suitable for distributed single sign‑on scenarios; it can carry user claims, permissions, and optional custom data, and may be signed or encrypted.

Interface Design

Authorization credentials are issued after the client registers and passes review; the client ID/secret and user credentials are validated, and an access token is returned. Credential renewal follows a similar validation process, issuing a refreshed token.