secure oauth2 token set-up , storage & refresh for CLI tools

[Tony M]

Is there a library or reference-implementation for oauth token set-up, storage & refresh in golang.  For example, my implementation is similar to the send-gmail tool by google (transforms sendmail CLI to gmail smtp requests, authenticated with oauth) 

 https://github.com/google/gmail-oauth2-tools/blob/master/go/sendgmail/main.go . many cli apps depend on a similar flow e.g. rclone

See setupToken(), sendMessage(), start() , Next() etc which illustrate the kludge needed for token set-up, storage, refresh.

Are there libraries or storage frameworks, possibly leveraging TPM, that could secure these critical credentials and reduce the boilerplate? 

Specific Oauth2 Pain Points

• P0 token set-up , i.e. setting up oauth config json, converting to an oauth HTTP request, listening for the callback & oauth token/code. 
• P1 automated oauth config generation.  i.e. calling google cloud console API to generate the oauth consent screen & config json .  CLI apps suffer from this 15 minute manual process.
• P0 secure token storage, ideally with encryption , even better using TPM. It should be in a standard location so users don't have dozens of priviledged tokens all over their home directory
• P2 token refresh -- this seems to be handled by "golang.org/x/oauth2/google" / TokenSource.