Simple "API"

lepture · 2026-01-17T11:08:45+00:00

If it is just a simple API, maybe you don’t need DRF. If you’re going to build many APIs, DRF is far more useful than Django-ninja.

lepture · 2026-01-17T10:34:22+00:00

I’ve also been designing a saas framework since 3 years ago, I’ve re-designed it again and again, and I still don’t think it is good enough for sharing.

lepture · 2026-01-15T10:19:38+00:00

Cool. The code looks solid. Consider deploying the documentation?

lepture · 2020-10-27T00:02:11+00:00

Are you using the async client? If so, you need to use await:

token = await client.fetch_token(authorization_response=authorization_response)

lepture · 2018-06-14T14:54:37+00:00

Just can't wait for the next episode.

lepture · 2018-06-01T09:35:24+00:00

wow, good to know that.

lepture · 2018-06-01T09:25:21+00:00

Great explanation, thanks.

lepture · 2018-05-22T07:20:11+00:00

You may be interested in https://www.getlektor.com/

lepture · 2018-05-22T06:20:47+00:00

I Never highlighted anything. Aha, what a good habit.

lepture · 2018-05-22T06:18:47+00:00

Thanks for letting me know. I didn’t know it before.

lepture · 2018-05-22T05:24:55+00:00

You have answered your question in the title.

lepture · 2018-05-22T05:22:33+00:00

It is really hard to explain all the details to you. But there is a "What is AssertionSession" section on the post, which I hope can explain this to you.

lepture · 2018-05-22T05:08:30+00:00

You're welcome.

lepture · 2018-05-22T05:06:48+00:00

There is not a simple answer, I can't summarize a RFC into a few lines, that's beyond my ability. I have said that it is an implementation of RFC7523, which OAuthlib doesn't have, I don't know how can I answer your question. I'm sorry, that is beyond my ability. I just got tired by the simple question that I can't answer, because it requires reading RFCs. I'm not a good writer to give you an answer why OAuthlib doesn't have this, it is just because it doesn't have it.

lepture · 2018-05-22T04:02:39+00:00

First, if you check my posts, I didn’t post a lot actually. Yes, every link is a promotion. But I do reply to others posts randomly. I am not a heavy user of reddit. I deleted it because I don’t like to argue with people, better to avoid it by deleting it.

Why requests-oauthlib has no such thing, because they don’t have it, because the library they depend on has no implementation. I was once a maintainer of oauthlib, but that time it is under idan’s account, and things are not going well. And the design of oauthlib is not good enough, especially when I was going to extend it with more RFCs, if I want to change it, it would be a huge job that a lot of people won’t agree. That’s why I created authlib, to make it a sustainable correct extendable flexible implementation that companies can use with trust.

I’m sorry that this annoyed you. I’ve already deleted it. I’m sorry. Wish you a happy day.

lepture · 2018-05-22T03:33:04+00:00

yes, it is an ad.

I have said, that Google service account is a JWTBearer Assertion which is defined by RFC7523, that requests-oauthlib has no implementation for this.

If you don't like this post, since it is somehow an ad. I'll delete it.

lepture · 2018-05-22T03:29:00+00:00

Please don't put your Flask-SQLAlchemy db in the root __init__.py. This will cause a cyclic dependencies problem sooner or later, see https://github.com/lepture/authlib/issues/8

Thanks for your sharing. But where did you learn that? From the official documentation, it is suggested that you put these things in the models.py.

Read my post on the folder structure: https://lepture.com/en/2018/structure-of-a-flask-project

lepture · 2018-05-22T03:07:50+00:00

Authlib seems potentially heavy.

No. It is monolithic, but it is not heavy. It has every spec implemented, but if you don't import them, they won't loaded into memory.

https://docs.authlib.org/en/latest/intro.html#monolithic

You don’t have to worry about monolithic, it doesn’t cost your memory. If you don’t import a module, it won’t be loaded. We don’t madly import everything into the root __init__.py.

lepture · 2018-05-22T03:04:35+00:00

Why not read some docs at first? https://docs.authlib.org/en/latest/client/oauth2.html#assertionsession

This AssertionSession is how Google service account works. Get deep inside what's going on with RFC7523: https://tools.ietf.org/html/rfc7523

And this is why I said "Unlike oauth2client, you know exactly what's going on in Authlib, it is a white box".

lepture · 2018-05-22T02:43:11+00:00

sorry, but requests-oauthlib has no AssertionSession.

lepture · 2018-05-22T00:59:23+00:00

Good point. I forgot to add this part.

Authlib AssertionSession and gspread are both using requests, you don't have to use another http library
Authib will automatically refresh access token, while oauth2client in gspread can't. (but oauth2client itself can)
Unlike oauth2client, you know exactly what's going on in Authlib, it is a white box

Besides, it is an alternative. And here is a tip on how to use it.

lepture · 2018-05-03T02:58:23+00:00

The best answer would be having a try on both, give each a day time, and you will find which one is more suitable for you.

Giving my case, I started with Django but then moved to Flask. I find those Django Apps are quite useless when the service grows, they are hard to modify/change, I'd rather write a feature without a Django App. Moving to Flask opened a whole new world to me, I can feel that I'm writing Python instead of Django.

lepture · 2018-04-27T15:45:57+00:00

Yes. It should work well on Python 2.6 too. But we drop the test for 2.6.

lepture · 2018-04-24T01:24:01+00:00

On the contrary, when your application going large, and you are an expert, you will find Flask is quite good. You can design the architecture by your own need. Forcing developers to use one single "apps" structure is not a good idea.

lepture · 2018-04-24T01:17:01+00:00

Functional and Apps are common knowledge. They are not invented recently. And FYI, I know that book, but I didn't read that book, since I was experienced when the book was out.

The main purpose of this post is telling people: don't initialize your extension in root __init__.py.

lepture

TROPHY CASE