sendgmail: consider using localhost to get the oauth2 token

[favonia]

I propose setting up a local HTTP server to grab the OAuth2 authorization token directly (instead of going through https://oauth2.dance). There are a few reasons:

1. No more copy-pasting is needed for the token.
2. The domain registrar oauth2.dance is not Google (though maybe it was) and I prefer not to trust one more company.
3. It is trivial to set up an ephemeral HTTP server in Go.
4. The change will slightly simplify the procedure to obtain a new client ID.

I understand that many non-Google OAuth2 services seem to have issues about HTTP even for localhost, and there were security concerns when you don't trust all the local programs (e.g., Android), but none of these concerns seem to apply to the primary use case of sendgmail.

Related issue: #49 (OOB no longer works)

[junyer]

I looked into doing this about a year ago when I was getting the OAuth2 dance working again. The showstopper was not code complexity, but the requirement to support the browser being on another machine. My (extremely) layman's understanding is that using PKCE suffices to mitigate the risk if oauth2.dance gets hijacked.

[favonia]

@junyer Thanks for the information. I was not aware that we need to support the browser on another machine...