I use the WebApplication client and in prepare_request_body I noticed the client_id parameter is never used. However self.client_id is always passed down to prepare_token_request and thus always included in the body.

An unused parameter doesn't look good but maybe this is intended, I've only quickly read the RFC 6749. If this is the case it should at least be stated in the docstring.

The server here (I guess OpenAM) rejects queries when they contain the client_id in the body.