Design of a Standardized Token‑Based Authentication System Using OAuth2 and JWT

When an enterprise’s number of applications grows, isolated user data creates information silos; a unified, standardized account management system becomes essential for platform‑level evolution, enabling single sign‑on, third‑party login, and open ecosystem integration.

Terminology

Third‑party application: also called “client”.

HTTP service: the service provider.

Resource Owner: the user who logs in.

User Agent: the browser.

Authorization server: dedicated server for handling authentication.

Resource server: stores user‑generated resources; may be the same as the authorization server.

Research Background

Traditional monolithic apps store user sessions on the server, but with the rise of RESTful APIs and microservices, token‑based authentication is increasingly common. Tokens carry user information and can be validated without additional database lookups.

Advantages of token authentication:

Stateless on the server side – no session storage needed.

Better performance – token validation avoids extra DB or remote calls.

Supports mobile devices and cross‑application calls – no cookie domain restrictions.

Research Goal

Provide a standard security authentication process that allows heterogeneous systems or cross‑service integration with flexible, unified authentication.

Typical Token Authentication Flow

User submits login credentials (or calls a token API) to the authentication service.

The authentication service validates the credentials and returns an interface containing basic user info, permission scope, and expiration details; the client stores this data (e.g., in session or database).

The client places the token in the HTTP request header for subsequent API calls.

The invoked microservice validates the token.

The service returns the requested resources and data.

Key security functions include credential acquisition, login authorization, access verification, and token renewal.

Technical Selection Analysis

System authorization adopts the OAuth2 open‑standard password grant mode.

Tokens follow the JWT (JSON Web Token) specification.

OAuth Open Authorization

OAuth defines a secure, simple standard for third‑party access without exposing user passwords. The four main grant types are:

Authorization Code – used between client and server applications.

Implicit – suitable for mobile or web apps where the token is obtained directly in the browser.

Password – trusted clients collect user credentials and request tokens from the service provider.

Client Credentials – the client authenticates on its own behalf, not on behalf of a user.

JSON Web Token (JWT)

JWT is a compact, URL‑safe means of representing claims to be transferred between two parties. It is widely used for single sign‑on (SSO) and can carry authentication data as well as additional business‑specific claims.

Authentication Process Logic

System authorization issues an Access Token to the client after validating client and resource‑owner credentials.

System authentication: the client presents the Access Token to the resource server, which verifies token validity, client legitimacy, and user identity before granting access.

Token renewal: when the Access Token expires, a refresh token is used to obtain a new token.

Interface Design

Authorization Credential: obtains a token after verifying client and user identities.

Credential Renewal: validates the refresh token and issues a new access token.

All diagrams illustrating the flow are included as images in the original article.