Designing a Unified Token‑Based Authentication System Using OAuth2 and JWT

When enterprise applications increase, isolated user data creates information silos; a unified, standardized account management system becomes essential for platform evolution, providing single sign‑on, third‑party login, and a foundation for open platforms.

Term Definitions

Third‑party application: also called “client”.

HTTP service: service provider.

Resource Owner: the user.

User Agent: the browser.

Authorization server: handles authentication.

Resource server: stores user‑generated resources; may be separate from the authorization server.

R&D Background

Traditional monolithic apps store user info in session, but with RESTful APIs and micro‑services, token‑based authentication is increasingly common. Tokens contain user information, enabling stateless verification.

Advantages of token authentication:

Server‑side statelessness: no session storage needed.

Better performance: no database or remote calls for each verification.

Supports mobile and cross‑domain calls.

R&D Goal

Implement a standard security authentication process that allows heterogeneous systems to integrate securely and uniformly.

Typical Token Authentication Flow

User submits login credentials (or calls token API) to the authentication service.

The service validates credentials and returns a token containing user info, permissions, and expiry.

The client includes the token in HTTP request headers for subsequent API calls.

The called microservice validates the token.

The service returns the requested resources.

Security Function Points

Token Renewal Flow

Obtain a credential: the client uses its client ID/secret and user credentials to get an Access Token from the authorization server.

Login authorization: the client presents the Access Token to the resource server, which validates the token, client credentials, and user identity before granting access.

Access verification: the resource server checks token validity and permissions, then returns the resource.

Credential renewal: when the Access Token expires, the client uses a Refresh Token to obtain a new Access Token.

Authentication Process Logic

System authorization issues an Access Token to the client application.

System Authentication

The client sends the Access Token to the server; the resource server validates the token, client, and user, then loads the user's permissions to complete login.

Token validation ensures legitimacy and permission before returning resources.

Credential Renewal

When an Access Token expires, a refresh operation obtains a new token.

Interface Design – Authorization Credential

Obtain an authorization credential by verifying client and user identities, then issue a token.

Client ID/secret is generated after the third‑party app passes registration review.

Authorization Credential Renewal

Obtain a renewal credential by verifying client identity and Refresh Token, then issue a new Access Token.