OAuth2 and JWT Based Security Authentication Design and Implementation Overview

01. Terminology Definitions

Third‑party application: also called "client". HTTP service: service provider. Resource Owner: the user who logs in. User Agent: the browser. Authorization server: dedicated server for handling authentication. Resource server: server that stores user‑generated resources; may be the same as the authorization server.

02. Development Background

As enterprise applications proliferate, isolated user data creates information silos, hindering platform‑level evolution. A unified, standardized account management system becomes essential for single sign‑on, third‑party login, and building open platforms and ecosystems.

In monolithic systems, permissions are checked globally and user info is stored in session. With the rise of RESTful APIs and microservices, token‑based authentication is increasingly common; tokens carry user information and enable stateless verification.

Advantages of token‑based authentication: Stateless server – no session storage needed. Better performance – no database lookups for each request. Supports mobile and cross‑application calls; avoids cookie cross‑domain limitations.

03. Development Goals

Provide a standard security authentication process that allows heterogeneous or cross‑service integration with unified authentication.

04. Security Authentication Functional Points

Credential acquisition: third‑party client obtains an Access Token from the authorization server using client credentials and user credentials.

Login authorization: client presents Access Token to resource server, which validates the token and user legitimacy before granting access.

Access verification: resource server validates the token and permissions, then returns the requested resource.

Credential renewal: expired Access Tokens are refreshed via a Refresh Token.

05. Technical Selection Analysis

System authorization follows OAuth2 open‑authorization standard password grant. Tokens use the JWT standard.

06. OAuth Open Authorization

OAuth defines a secure, open, and simple standard for user resource authorization, allowing third‑party apps to obtain user permissions without knowing passwords.

Main grant types:

Authorization Code – used between client and server.

Implicit – for mobile/web apps; token is returned directly to the browser.

Password – trusted clients collect user credentials and request tokens.

Client Credentials – client authenticates as itself, not on behalf of a user.

07. JSON Web Token (JWT)

JWT is a compact, URL‑safe means of representing claims to be transferred between two parties, widely used for SSO in distributed systems; it can be signed and optionally encrypted.

08. Authentication Process Logic

09. System Authorization

Third‑party client uses client ID/secret and user credentials to obtain an Access Token from the authorization server.

10. System Authentication

Client sends Access Token to the resource server; the server validates the token, client identity, and user legitimacy, then loads user permissions to complete login.

After validation, the resource server returns the requested resource.

11. Credential Renewal

When an Access Token expires, a Refresh Token is used to obtain a new Access Token.

12. Interface Design

13. Authorization Credential

Obtain authorization credentials by validating client identity and resource owner, then issue a token.

Client ID/secret is generated after the third‑party application passes registration review.

14. Authorization Credential Renewal

Renew credentials by validating client identity and Refresh Token, then issue a new token.