How Token‑Based OAuth2 Authentication Powers Secure Enterprise Platforms

Term Definitions

Third‑party application: also called “client”.

HTTP service: service provider.

Resource Owner: the user who logs in.

User Agent: the browser.

Authorization server: server that handles authentication.

Resource server: stores user‑generated resources; may be the same as or separate from the authorization server.

R&D Background

In monolithic applications, each request is checked for permissions and user information is cached in a session. With the rise of RESTful APIs and microservices, token‑based authentication has become common. Unlike session IDs, a token contains user information and can be validated to authenticate identity.

Advantages of token authentication:

Stateless server: no need to store session data because the token carries all user info.

Better performance: token validation does not require database or remote service lookups.

Supports mobile devices and cross‑application calls; tokens are not limited by cookie domain restrictions.

R&D Goals

Implement a standard security authentication process that enables flexible integration and unified authentication across heterogeneous systems and services.

A typical token‑based authentication flow includes:

User submits login information (or calls a token API) to the authentication service.

The authentication service validates the credentials and returns a response containing basic user info, permission scope, and expiration.

The client stores the token (e.g., in session or database) and includes it in HTTP request headers for subsequent API calls.

The invoked microservice validates the token.

The server returns the requested resources and data.

Technical Selection Analysis

The system adopts OAuth2 password grant type and uses JWT as the token format.

OAuth Open Authorization

OAuth defines a secure, open, and simple standard for user resource authorization, allowing third‑party applications to obtain user permissions without knowing the user’s password.

Main grant types:

Authorization code: used between client and server applications.

Implicit: used by mobile or web apps where the token is obtained directly in the browser.

Password: trusted clients collect the user’s username and password to request a token.

Client credentials: the client authenticates as itself, not on behalf of a user.

JSON Web Token (JWT)

JWT is a compact, secure, JSON‑based open standard (RFC 7519) for transmitting claims. It is well‑suited for single sign‑on (SSO) in distributed systems, carrying authenticated user identity and optional business claims, and can be signed or encrypted.

Authentication Process Logic

System Authorization

The third‑party client uses its client ID/secret and the resource owner’s credentials to obtain an Access Token from the authorization server.

The server issues an Access Token to the client.

System Authentication

The client sends the Access Token in the request header to access server resources. The resource server validates the token, the client application, and the user, then loads the user’s permissions to complete login.

If the token is valid, the resource server returns the requested data.

Credential Renewal

When an Access Token expires, a refresh token is used to obtain a new token, extending its validity.

Interface Design

Authorization Credential

Obtain an authorization credential by validating client and resource owner identities, then issue a token.

Client ID/secret is generated after the third‑party application registers and passes review.

Authorization Credential Renewal

Obtain a renewal credential by validating client identity and the refresh token, then issue a new token.