I have been using the existing oauth2.el and auth-source.el to use both
gmail and outlook (through my university) with oauth2 for several years
now (I posted a bit about it some time ago on the devel list). I
didn't need to change much to get it to work so I thought as long as the
changes by Xiyue are being considered (all of which look good to me) I
would chime in. I'm happy to provide more info about my setup and usage
if anyone is interested.

Firstly, I note that I have gmail working fine without the change in
patchset 2 (although I see nothing wrong with the change, I wonder why
it isn't necessary for me but is for Xiyue).

Secondly, there is one other important change that I have been using
which should probably be added to oauth2.el (I communicated the change
to Julien a long time ago, but he said he is no longer actively
maintaining oauth2.el): in refreshing the token the access-response is
ignored (as is the response-error). The access-response contains
information about the token expiration so its needed in order to control
when to fetch a new token. The simple patch below stores the
access-response in the appropriate slot in the token: