I found a regression in master when used with requests/requests-oauthlib since #495 has been merged. It's related to authorization grant/web application only.

Basic usage of requests-oauthlib is :

sess = OAuth2Session(client_id)
token = sess.fetch_token(token_url, client_secret=client_secret, authorization_response=request.url)

However, since the changes, client_id of the session is ignored. I think #505 fixed an use-case but broke another one. We should find a win-win solution.

requests-oauthlib code call at https://github.com/requests/requests-oauthlib/blob/master/requests_oauthlib/oauth2_session.py#L196-L198 and oauthlib issue here
https://github.com/oauthlib/oauthlib/blame/master/oauthlib/oauth2/rfc6749/clients/web_application.py#L128.