Since last 3.0.0 attempt, time has past and a couple of PRs have been integrated since #512, I suggest to open a new issue.

This release contains new features, bug fixes, and breaking changes due to errors in RFC understanding.

OAuth2.0 Provider - New features (full feature list):

• OpenID Connect Core support
• RFC7662 Introspect support
• RFC8414 OAuth2.0 Authorization Server Metadata support (Initial OAuth Authorization Server Metadata RFC8414 #605)
• RFC7636 PKCE support (Initial OAuth2.0/PKCE Provider support #617 Preconf server metadata #624)

OAuth2.0 Provider - Bugfixes / Changes:

• Add request to confirm_redirect_uri Request object not given to confirm_redirect_uri #504
• Changed errors status code from 401 to 400:
  • invalid_grant: Invalid HTTP statuses on error response #264
  • invalid_scope: invalid_scope status code should be 400 #620
  • access_denied/unauthorized_client/consent_required/login_required Handle 401 with WWW-Authenticate. Moved wrong 401 into 400. #623
  • 401 must have WWW-Authenticate HTTP Header set. Handle 401 with WWW-Authenticate. Moved wrong 401 into 400. #623
• confirm_redirect_uri/get_default_redirect_uri has a bit changed confirm_redirect_uri does not get the default redirect URI #445
• empty scopes no longer raise exceptions for implicit and authorization_code Remove check on empty scopes for implicit grant flow #475 / scope is optional in code response_type? #406
• invalid_client is now a FatalError OAuth2 invalid_client error must be a Fatal error. #606

OAuth2.0 Client - Bugfixes / Changes:

• expires_in in Implicit flow is now an integer expires_in must be an integer, not a string in IMPLICIT #569
• expires is no longer overriding expires_in Remove special treatment of nonstandard "expires" parameter  #506
• parse_request_uri_response is now required Add missing NotImplementedError #499
• Unknown error=xxx raised by OAuth2 providers was not understood fetch_token doesn't handle application-specific OAuth2 errors #431
• New argument include_client_id of prepare_request_body Client web application does no longer send client_id #585 / wait for support for client_id and oauthlib PR #593 (Issue #585) requests/requests-oauthlib#331

OAuth1.0 Client:

• Support for HMAC-SHA256 Add support for HMAC-SHA256 (builds on PR#388) #498

General fixes:

• $ and ' are allowed to be unencoded in query strings $ and ' are allowed to be unencoded in query strings #564
• Request attributes are no longer overriden by HTTP Headers Headers parsing during Request creation #409
• Removed unnecessary code for handling python2.6
• Add support of python3.7 Support for Python 3.7 #621

Full list of issues: https://github.com/oauthlib/oauthlib/issues?utf8=%E2%9C%93&q=is%3Aissue+sort%3Aupdated-desc+milestone%3A3.0.0+
Full list of PR: https://github.com/oauthlib/oauthlib/pulls?utf8=%E2%9C%93&q=is%3Apr+sort%3Aupdated-desc+milestone%3A3.0.0+