OAuth 2 does have an equivalent to 2-legged, '
Service Accounts'
I have successfully used an oauth service account with some apis (notably email settings, email migration, and gmail imap) but I have not gotten it to work with the read-only provisioning api (the scope with #readonly in it is rejected by the token endpoint).
Some python test code can be found
here. some fields need to be filled in at the top, and the service account's private key must be in the working directory when you run the script.
The client ID in the code is the service account's 'email address', with an @, but the thing the domain admin puts in their control panel is the client id without @'s