On second thoughts, after reading past emails on python-oauth2 in this group, it sounds like django-oauth-plus needs a RC bug to use python-oauthlib instead of python-oauth2. Will open such a bug now.
Just opened the following list of bugs:
Bug #758386 [src:django-oauth-plus] depends on insecure and unmaintained python-oauth2
Bug #758387 [src:djangorestframework] depends on insecure and unmaintained python-oauth2
Bug #758388 [src:python-django-social-auth] depends on insecure and unmaintained python-oauth2
Bug #758389 [src:turses] depends on insecure and unmaintained python-oauth2
--