That is very well explained, I have been trying to understand Grant Flows for a long time but couldn't find anything concrete, but your video gives me a clear picture about the same. Thank you so much for such detailed explanations.
Hi Sir, great video! I have a question, all the sensitive information(client id, client secret, username, password) is sent via query parameters, how is security ensured so that these information is not stolen? Thanks in advance!
Recently I bought your LLD course from Udemy .The effort is awesome but the thing is some video's are in Hindi its hard to understand since I am from south. Please make upcoming videos in English so that everyone can make use of it.Thanks shreyansh.
Hey Shreyansh, Do you have any plan to create a video on fetching thread dump and analysing it for debugging purposes ? Please reply if you see this. I have asked multiple things on different videos but unfortunately could not get reply to any.
When there is inter service communication, like Order service calls Delivery service, how OAuth is implemented? What would be resource owner, authentication server and all? This video very well explains OAuth and helped me to understand OAuth . Thank you!
Hi Shrayansh, I think there is some mistake in the CSRF attack workflow here. When Insta sends request to the resource server with authorization_code (of the attacker), redirect_uri, id and secret the resource server after validation of the code sends the response with the requested data to the redirect_url (which is insta’s uri because this is what was present in the request) not the attacker. Just with the authorization code of the attacker, there is no way for the resource server to send the data to the attacker.
@shrayansh, in Authorization code grant, fetch token call is authorised by authorization code we provide as parameter, and in ROPC, i saw the POST/token request is authorised by user name and password, and in implicit Grant, the get/authorise is authorised by state variable and like that in Client Credentials grant, i see no parameter is passed in GET/token call, so my question is how this request call gets authorised? is it only using client id and secret? is it safe compared to other mechanisms?
Hi Shreyansh In CSRF attack attacker can know my state value as it's passed in request param if he intercepts my request he will get access to it as well right?
Hello Shreyansh, Regarding the authorization & token request, video mentions to include the redirect URI in the query parameter. Typically, for each REST API POST call, we expect a response. Could you clarify whether the authorization code will be included in the REST API call response, or if it will be sent separately by the authorization server via a webhook call to the client's redirect URI? If it is indeed a webhook call, does the client also need to expose an endpoint to receive the authorization code? I'm curious about the industry standard in this context.
The authorization code is included in the redirect URI as a query parameter in the response to the authorization request. The client needs to expose an endpoint (the redirect URI) to receive and handle the authorization code. There is no industry standard for delivering the authorization code via webhook; it's typically delivered directly to the client's specified redirect URI I would say, this is generally for security purpose.
Hello Shreyansh, I have been following since more than a year now, I have been binge watching your videos earlier even when I wasn't interviewing, a few months back I had some health issue and I had to take break from my work, now I am preparing for interviews and I am trying to watch your playlist, few videos are member only, and you also have a course on udemy, so my question is, Is your course on udemy and the playlist on youtube(with membership) any different or they both are same ? If not same what are the differences? Regards.
Hey Shrayansh, posting 1 question related to LLD / HLD interview. 1. How are we supposed to create those block diagrams and demonstrate during interview? Asking as I can see interviewee is using some software in one of the mock interviews you took which might not be possible for others. 2. Also does it depend oncompany to company whether they will select an interviewee when he was unable to submit working code though was able to convey uml diagram?
Nice video. 1 question. For /authorization api why we are using GET request ? What if Gmail want to create/update entry at their side to make sure who has asked for code/token then it should be POST request right ?
nice catch Tejas. i think this design choice might be done because of simplicity or ease of integration. But you know, this do post the security issues (usage of GET call) . So thats why Authorization code grant type with PKCE is nowadays recommended which try to mitigate this exposure of authorization code in previous GET call. i think i should cover that too.
you videos made LLD and HLD so simple for me !!
That is very well explained, I have been trying to understand Grant Flows for a long time but couldn't find anything concrete, but your video gives me a clear picture about the same. Thank you so much for such detailed explanations.
Great. Thank you for the Clear and Simple Explanation
very well exlained , really good content ..... thanks sir !!!!!
Best explanation ever on OAuth❤❤
noone can explain Oauth like you
Congrats on your 100k Subscribers...
Waiting for Spring Boot videos as covered all the topics of Java and LLD, currently going through HLD
very well explained.......awsome!!!
Hi Sir, great video! I have a question, all the sensitive information(client id, client secret, username, password) is sent via query parameters, how is security ensured so that these information is not stolen? Thanks in advance!
Recently I bought your LLD course from Udemy .The effort is awesome but the thing is some video's are in Hindi its hard to understand since I am from south. Please make upcoming videos in English so that everyone can make use of it.Thanks shreyansh.
sure
For csrf, google could issue token only if the client that is requesting the token is matching with the client id that the code was given to
exactly what I was thinking. they could even use the client secret too in the matching.
Hey Shreyansh,
Do you have any plan to create a video on fetching thread dump and analysing it for debugging purposes ?
Please reply if you see this. I have asked multiple things on different videos but unfortunately could not get reply to any.
When there is inter service communication, like Order service calls Delivery service, how OAuth is implemented? What would be resource owner, authentication server and all?
This video very well explains OAuth and helped me to understand OAuth . Thank you!
Hey shreyansh , how many videos are pending for the hld playlist?
Hi Shrayansh, I think there is some mistake in the CSRF attack workflow here. When Insta sends request to the resource server with authorization_code (of the attacker), redirect_uri, id and secret the resource server after validation of the code sends the response with the requested data to the redirect_url (which is insta’s uri because this is what was present in the request) not the attacker. Just with the authorization code of the attacker, there is no way for the resource server to send the data to the attacker.
Hello bhaiya. I have one query. Should i have to pay monthly if i join the membership.
Amazing Video..Can you explain about openId connect and how it is related to oauth?
eagerly waiting for the Springboot implementation !
yea
@shrayansh, in Authorization code grant, fetch token call is authorised by authorization code we provide as parameter, and in ROPC, i saw the POST/token request is authorised by user name and password, and in implicit Grant, the get/authorise is authorised by state variable and like that in Client Credentials grant, i see no parameter is passed in GET/token call, so my question is how this request call gets authorised? is it only using client id and secret? is it safe compared to other mechanisms?
Eagerly Waiting for JWT video, as well as Spring boot implementation for O-AUTH as well as JWT from you.
ack
Hi Shreyansh In CSRF attack attacker can know my state value as it's passed in request param if he intercepts my request he will get access to it as well right?
Hello Shreyansh,
Regarding the authorization & token request, video mentions to include the redirect URI in the query parameter. Typically, for each REST API POST call, we expect a response. Could you clarify whether the authorization code will be included in the REST API call response, or if it will be sent separately by the authorization server via a webhook call to the client's redirect URI? If it is indeed a webhook call, does the client also need to expose an endpoint to receive the authorization code? I'm curious about the industry standard in this context.
The authorization code is included in the redirect URI as a query parameter in the response to the authorization request.
The client needs to expose an endpoint (the redirect URI) to receive and handle the authorization code.
There is no industry standard for delivering the authorization code via webhook; it's typically delivered directly to the client's specified redirect URI
I would say, this is generally for security purpose.
great
Hello Shreyansh, I have been following since more than a year now, I have been binge watching your videos earlier even when I wasn't interviewing, a few months back I had some health issue and I had to take break from my work, now I am preparing for interviews and I am trying to watch your playlist, few videos are member only, and you also have a course on udemy, so my question is, Is your course on udemy and the playlist on youtube(with membership) any different or they both are same ? If not same what are the differences? Regards.
its same just for engineers who prefer udemy over youtube.
👍👍
Hey Shrayansh, posting 1 question related to LLD / HLD interview.
1. How are we supposed to create those block diagrams and demonstrate during interview? Asking as I can see interviewee is using some software in one of the mock interviews you took which might not be possible for others.
2. Also does it depend oncompany to company whether they will select an interviewee when he was unable to submit working code though was able to convey uml diagram?
I too have the same doubt.
Nice video. 1 question. For /authorization api why we are using GET request ? What if Gmail want to create/update entry at their side to make sure who has asked for code/token then it should be POST request right ?
nice catch Tejas.
i think this design choice might be done because of simplicity or ease of integration.
But you know, this do post the security issues (usage of GET call) .
So thats why Authorization code grant type with PKCE is nowadays recommended which try to mitigate this exposure of authorization code in previous GET call.
i think i should cover that too.
@@ConceptandCoding Sure sir. Thank you for the explanation.
Hi shreyansh,
Can you please suggest some books which u follow for learning these cool backend technology.
generally i go with official documentation buddy
when can we expect spring boot series ?
by this month i will share the roadmap, thats my plan
Can you cover use cases of each grant type
It is possible to get this note?
will add it by EOD
@@ConceptandCoding ok thanks
Can you also make it for Azure AD Oauth?
noted
@@ConceptandCoding what is difference btw authorization and authentication?
I doubt what you taught, can you please share resources I can refer to and verify 🙏
pls check original documentation of OAuth2.0 RFC
Hi is it possible for you to add gpay payment option for your course. please
i think in mobile app you will get that
@@ConceptandCoding payment is falling for all options
@@ConceptandCoding tried Gpay on app, credit card also, it's failing
notes link please ?
@Shreyansh please share notes🙏
sorry i was out this weekend, will do it tomm for sure
notebook.zohopublic.in/public/notes/bietv949cfd82a5804e0ea1d18400d3ff6fa3
Thankyou shreyansh
I am working in a fortune 20 company and everywhere they have implemented implicit grant 😂
where are the notes...references..
oops my bad, will add the notes link in description section by EOD
@@ConceptandCodingpls add bro
Thompson Sarah Young David Miller Angela
AK din ke liye videos free kar do na vaiya
done buddy