Standardized Token‑Based Authentication Architecture Using OAuth2 and JWT for Enterprise Platforms

When an enterprise’s number of applications grows, managing user data separately creates information silos; a unified, standardized account management system becomes essential for platform‑level services such as single sign‑on, third‑party login, and cross‑system authorization.

Terminology – Third‑party application (client), HTTP service (service provider), Resource Owner (user), User Agent (browser), Authorization server, Resource server.

Research background – Traditional monolithic apps store user sessions on the server, while modern RESTful and micro‑service architectures favor token‑based authentication, which is stateless, improves performance, and works across devices.

Research goal – Provide a flexible, standardized security authentication process that enables heterogeneous systems and cross‑service integration.

Typical token authentication flow

User submits login credentials (or calls a token API) to the authentication service.

The service validates the credentials and returns a token containing user info, permissions, and expiration.

The client places the token in the HTTP request header for subsequent API calls.

The called micro‑service validates the token.

The service returns the requested resources.

Security function points

Obtain credentials: the client uses its client ID/secret and the resource owner’s username/password to get an Access Token.

Login authorization: the client presents the Access Token to the resource server, which validates the token and the user’s permissions.

Access authentication: the resource server checks the token’s validity before returning data.

Credential renewal: when the Access Token expires, a refresh token is used to obtain a new token.

Technical selection

OAuth2 password‑grant flow for system authorization.

JWT (JSON Web Token) as the token format.

OAuth2 overview – An open standard that allows third‑party applications to obtain limited access to user resources without exposing passwords. Four main grant types are described: authorization code, implicit, password, and client credentials.

JWT description – A compact, URL‑safe token format defined by RFC 7519, suitable for distributed SSO scenarios, carrying user claims and optional custom data.

Authentication process logic

System authorization issues an Access Token to the client; system authentication validates the token, client credentials, and user identity; token renewal refreshes expired tokens.

Interface design

Authorization credential acquisition validates client and user information and issues a token; credential renewal validates the refresh token and issues a new token.

Author: mars – Source: https://juejin.cn/post/6906149001520037902