Unlocking Secure Unified Account Management with Token‑Based OAuth2

Why Unified Account Management Is Needed

When an enterprise’s application landscape grows, managing user data separately for each system creates information silos. A unified, standardized account management platform provides single sign‑on, third‑party login, and a foundation for open platforms and business ecosystems.

Terminology

Third‑party application : also called “client”.

HTTP service : the service provider.

Resource Owner : the user who logs in.

User Agent : the browser.

Authorization server : server that handles authentication.

Resource server : server that stores user‑generated resources; may be the same as or different from the authorization server.

Research Background

In monolithic applications, every request passes a permission interceptor and user information is cached in a session. With the rise of RESTful APIs and micro‑services, token‑based authentication has become prevalent. Unlike a session ID, a token carries user information and can be validated without server‑side state.

Server‑side statelessness: the token contains all necessary user data.

Better performance: token validation avoids database or remote calls.

Mobile‑friendly: tokens work across domains and devices, unlike cookies.

Research Objectives

Provide a standard security authentication process that enables flexible integration and unified authentication across heterogeneous systems.

User submits login credentials (or calls a token API) to the authentication service.

The authentication service validates the credentials and returns a token containing user info, permissions, and expiration.

The client places the token in the HTTP request header for subsequent API calls.

The invoked micro‑service validates the token’s permissions.

The service returns the requested resources.

Security Authentication Features

The token‑based flow includes credential acquisition, login authorization, access verification, and token renewal.

Technical Selection

System authorization adopts the OAuth2 password grant type.

Tokens follow the JWT standard.

OAuth Open Authorization

OAuth defines a secure, open standard that lets third‑party applications obtain user authorization without knowing the user’s password.

Grant Types

Authorization Code: used between client and server applications.

Implicit: for mobile or web apps where the token is returned directly to the browser.

Password: trusted clients collect the user’s username and password and request a token.

Client Credentials: the client authenticates as itself, not on behalf of a user.

JSON Web Token (JWT)

JWT is a compact, URL‑safe means of representing claims to be transferred between two parties. It is widely used for single sign‑on (SSO) and can carry additional business claims.

Authentication Process Logic

System Authorization

Third‑party clients use client ID/secret and user credentials to obtain an Access Token from the authorization server.

System Authentication

The client presents the Access Token to the resource server, which validates the token, the client, and the resource owner before granting access.

Credential Renewal

When the Access Token expires, a refresh token is used to obtain a new token.

Interface Design

Authorization Credential

Clients obtain a token after the system validates both client and resource‑owner identities.

Credential Renewal

Clients use a refresh token to extend the token’s validity.