When selecting Token Endpoint Auth Method="none" a client secret is still issued. According to the documentation nonemeans that the client is public and has no secret.

Once the issue is solved,

Endpoint

@bp.route('/oauth/token', methods=['POST']) def issue_token(): return authorization.create_token_response()

does not work with grant password. But If I pass within the body client_id it works. However, according to RFC6749 the body should only contain grant_type, username, password and scope

I might have missed something...
Btw, Should I public client have its own id?