I never bothered to finish it back in 2010 since everyone seemed quite content with OAuth 2.0 at that time. However, now that it has been posted, I would love to know if anyone would like to see a completed version.
[Edit: Also, any criticisms of what's already there and thoughts on anything else you feel should be included would be really appreciated. Thanks!]
Maybe contact the developer behind flask-oauthprovider  (oauth 1). I see you have some flask-sqlalchemy type snippets in there.
The only real problem with 1.0 is the difficulty of implementing it correctly and later debugging it when things go wrong (aka, the infamous generic "Invalid Signature" errors). In my mind, it would go a long way if generating a signature was based on a random nonce (say 16 bytes) + client id + client secret + access token.
The only hard suggestion I have is to fork the the client management part to to an extension standard draft. The Hypermedia zealots are going to have a fit when they see `action: "delete"`. Leave that discussion for later and get the rest out the door.
The only problem that OAuth really solves is coming up with some way for a third party to get an arbitrary set of revocable credentials that authenticate the (user, app) pair instead of just having every app use user credentials directly (because that's a phishing hazard). All we need is a standardized mechanism for getting those credentials, and then we can all continue to use Basic and Digest authentication over HTTPS.
OAuth 2.0 almost does that. It actually allows it, but it just has a little too much extra cruft. If you strip out refresh tokens, replace Bearer and MAC authentication with Basic and Digest authentication, mandate HTTPS, and add a couple of qop-options to the WWW-Authenticate header on the 401 response (see RFC 2617) that identify the authorization and token endpoints, you'd have a working standard, and it would be childsplay for anyone to implement it.
EDIT: So the 401 response would looks something like:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="foo", oauth2_auth="<URI>", oauth2_token="<URI>"
They serve different purposes; Persona is about authentication, OAuth _may_ be used for authentication but its original purpose is authorization - letting websites and applications access your content from other sites (e.g. letting an application post Tweets in your name) without giving them your password.
Or a different question, would it be possible to craft OAuth 3 in a way that it works great alongside BrowserID?