For example, validate_authorization_request and create_authorization_response pass around a thing that the code samples seem to call credentials, and which https://oauthlib.readthedocs.org/en/latest/oauth2/endpoints/authorization.html describes as a dictionary with four keys. It actually has five (including request, the value of which is not JSON-able).

For a very security-sensitive library, guessing at the correct values to pass around here based on examples on stackoverflow feels very wrong.