Nuwana - Software Development

 OAuth,OpenId,SAML - Topics 01. OAuth and OpenID 02. Why OpenID 03. Understanding OAuth 2.0: Flows, Standards, and Security Best Practices

  OAuth and OpenID   01. OAuth (Think: Valet Key for Your Car) What it is: OAuth (Open Authorization) is all about authorization. It's a way for us to grant one application (like a photo printing service) permission to access our data in another application (like your Google Photos) without giving it your actual password for Google Photos.   02. OpenID Connect (OIDC) (Think: Showing Your ID at a Bar) What it is: OpenID Connect is all about authentication. It's a layer built on top of OAuth 2.0. It allows you to use one login (like your Google or Facebook account) to sign in to other websites or apps Key Difference OAuth = About access ("Can this app use my data?") OIDC = About identity ("Is this really John Doe?")   Real-World Use Pure OAuth: Allowing a finance app to read your bank transactions OIDC: Logging into that finance app using your Google account   Without OAuth 2.0, OIDC would not exist . W ithout OIDC , OAuth 2.0 can exist. So, w e can u se OAuth...

  Why do we need OpenID Connect (OIDC) on top of OAuth 2.0 to get user information? Why didn’t OAuth 2.0 itself handle user authentication and profile fetching (like email)? Couldn’t OAuth have just added its own variables/scopes to support it?   OAuth 2.0 was never designed for auth entication, only authorization.So, OAuth doesn’t define how to return user identity in a secure, standard way. That's mean: No standard for id_token (JWT), No standard for /userinfo endpoint.   But If we want, we can build our own identity solution on OAuth alone (to get user information), but: There would be no standard token format, No standard way to verify the user's identity, High risk of doing it wrong (and creating security holes). That’s why OpenID Connect exists — to make authentication safe, easy, and interoperable.   OpenID Connect was created to safely and consistently add authentication and user identity on top of OAuth.   OpenID handle: 1. Standardized id_token Format ...

  Understanding OAuth 2.0: Flows, Standards, and Security Best Practices Core OAuth 2.0 Specification This RFC describes the base OAuth 2.0 protocol and includes: https://datatracker.ietf.org/doc/html/rfc6749   Authorization Grant An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.  This specification defines four grant types authorization code, implicit, resource owner password, credentials, and client credentials   as well as an extensibility mechanism for defining additional types.   1. Authorization Flows (Grant Types)   These define how a client gets an access token:  Authorization Code Grant (most secure, used with server-side apps)  Implicit Grant (now discouraged, used with SPAs)  Resource Owner Password Credentials Grant (discouraged)  Client Credentials Grant (machine-to-machine)    2. Roles   ...

  AOP (Aspect-Oriented Programming) What is AOP (Aspect-Oriented Programming)? AOP is a programming paradigm that allows you to separate cross-cutting concerns (like logging, security, transactions, etc.) from the core business logic. What are cross-cutting concerns? These are concerns (code) that affect multiple parts of the application but are not part of the main business logic. Examples:  Logging, Security checks Transaction management Performance monitoring Caching, Async Why use AOP? Without AOP:  You might repeat the same logging/security code in many methods.  Your business logic becomes messy and harder to maintain.   With AOP:  You write that cross-cutting logic once and apply it wherever needed—automatically.   Simple Example in Spring Boot   Step 1: Add Spring AOP dependency (if not using Spring Boot Starter) < dependency >     < groupId >org.springframework.boot</groupId>     ...

 Topics  01. Steps in SQL Query Execution 02. How does the database create a query plan 03. How Query Plan Caching Works 04. What is the need for an execution plan? 05. How Do Query/ Query Plan Execute (Inside MySQL Server) 06. Importance Of Undo Log 07. How Row Lock Is Handle When Query On The Table Row 08. Technique to recover the committed changes 09. Auditing technique 10. Query cache 11. DB connection pool 12. What is ACID? 13. Optimizing SQL queries

Steps in SQL Query Execution (MySQL) 1. Client Sends Query to Server The SQL statement is sent to the MySQL server over a connection (e.g., via JDBC or a query tool like MySQL Workbench). 2. Parser / Syntax Check The parser checks the SQL syntax.If there are any syntax errors, it throws an error immediately. 3. Pre-processor Verifies privileges and permissions for the user executing the query. Resolves object names (like table or column aliases). 4. Query Optimization The optimizer evaluates multiple strategies to execute the query. It considers: Which indexes to use. Join order (for multi-table queries). Whether to use temporary tables. Cost of different execution paths. The optimizer chooses select the most efficient query plan (Cost effective -> memory, CPU etc). 5. Query Execution Plan (Most cost effective query plan) The query plan is a blueprint of how MySQL will fetch the data. You can view this with the EXPLAIN keyword in front of your query. 6. Query Execution The storage e...

  How does the database create a query plan? 01. MySQL (and most RDBMS): Execution Plan Selection is Based on Cost Estimation How it works: The query is parsed and analyzed. The query optimizer looks at all possible execution plans (e.g., index scan, full table scan, different join orders). It does NOT run the plans — instead, it uses statistics (like row count, index selectivity, table size) to estimate the cost of each plan. The lowest-cost plan is chosen and executed. Example: SELECT * FROM orders WHERE customer_id = 123 MySQL checks: Is there an index on `customer_id`? How many rows match `customer_id = 123` (using index stats)? What is the estimated disk I/O and CPU cost? It chooses the plan with the lowest estimated cost, not the proven fastest.   02. MongoDB: Execution Plan Selection is Based on Trial Execution How it works: MongoDB generates several candidate plans. It actually runs each plan for a short time — like a "mini test drive" (Actually each plan is running f...