Security is no longer a “backend concern” — it’s a fundamental layer of every modern application. Whether you’re building a monolith or a microservices architecture, getting authentication and authorization right is non-negotiable.
In this post, we’ll walk through:
- ✅ The difference between Authentication & Authorization
- 🔑 What OAuth 2.0 really is (and what it’s not)
- 🔐 How JWTs are used to represent identity
- 🧰 Code snippets and real-world advice for applying these in your applications
✅ Authentication vs Authorization: Know the Difference
| Concept | What it means | Example |
|---|---|---|
| Authentication | Proves who you are | “I am Alice” |
| Authorization | Checks what you’re allowed to do | “Alice can access /admin” |
🔑 Authentication answers “Who are you?”, while Authorization answers “What can you do?”
🔄 OAuth 2.0 — Delegated Authorization Framework
OAuth 2.0 is not an authentication protocol. It’s a framework for delegated access — allowing one system (client) to access resources in another (resource server) on behalf of the user.
📌 Real-world example:
You’re using an app that posts tweets on your behalf. Instead of sharing your Twitter password, OAuth lets you:
- Login with Twitter
- Authorize the app to “post tweets”
- Get redirected back with a token that proves consent
🔑 Roles in OAuth 2.0:
- Resource Owner: The user (you)
- Client: The third-party app (e.g., Spotify, Slack)
- Authorization Server: Issues tokens (e.g., Google, Auth0)
- Resource Server: The API being accessed (e.g., Twitter API)
📘 OAuth 2.0 Flow (Authorization Code Grant)
textCopyEditClient → Authorization Server → (Login + Consent) → Authorization Code
→ Client exchanges Code → Access Token + Refresh Token
Tokens are then used to access protected APIs without exposing user credentials.
🔐 JWT (JSON Web Tokens) — Self-contained Claims
JWTs are compact, signed tokens that represent claims (who the user is, what roles they have, etc.). They are often used as access tokens in OAuth 2.0 flows.
🧱 JWT Structure
textCopyEditHeader.Payload.Signature
Example:
{
"sub": "1234567890",
"name": "John Doe",
"role": "admin",
"iat": 1717420000,
"exp": 1717423600
}
- Header: Metadata (e.g., algorithm)
- Payload: Claims (e.g., user ID, roles)
- Signature: Ensures token integrity (HMAC or RSA signed)
✅ Why Use JWTs?
- Stateless: No need to store sessions on the server
- Fast: Easy to validate with just the secret/public key
- Portable: Can be passed in headers, cookies, etc.
🛡️ JWT in Authorization (Spring Boot Example)
@GetMapping("/admin")
@PreAuthorize("hasRole('ADMIN')")
public String adminEndpoint() {
return "Admin dashboard";
}
With Spring Security + JWT:
- The JWT is decoded on every request
- The user’s role is extracted from the token
- Authorization decisions are made based on claims
⚠️ JWT Security Best Practices
- Always validate signature
- Never store sensitive data in the payload (it’s only base64-encoded)
- Set expiration (
exp) and issue time (iat) - Use HTTPS to prevent token interception
- Prefer short-lived access tokens with refresh tokens
🔄 Refresh Tokens
Access tokens should be short-lived (e.g., 15 mins). Refresh tokens can be used to issue new access tokens without logging in again.
Store refresh tokens securely, preferably in HTTP-only cookies, and revoke them on logout.
🔄 OAuth2 + JWT in Microservices
Architecture Example:
- Auth Server: Issues JWTs (e.g., Keycloak, Auth0, Spring Authorization Server)
- Gateway: Validates JWT before forwarding
- Services: Rely on JWT claims for role checks
Each service doesn’t need to contact the Auth Server — they just validate the JWT signature and extract claims.
📌 When to Use What?
| Scenario | Use |
|---|---|
| User login/session management | OAuth 2.0 + JWT or Session cookies |
| Microservice authorization | JWT with roles/permissions |
| 3rd-party API access | OAuth 2.0 client credentials flow |
| Mobile/native app auth | OAuth 2.0 + PKCE |
✅ Final Thoughts
Authentication and authorization are the foundation of security in modern applications. OAuth2 and JWTs, when used properly, enable scalable, stateless, and secure identity flows across distributed systems.
As an expert engineer, your job isn’t just to implement them — it’s to understand the trade-offs, apply best practices, and protect both data and users.
Leave a Reply