Oauth2 ideas?

At my work we have to use Microsoft’s Oauth2 for authentication to be able to receive and send emails. I managed to get things working with offlineimap and msmtp, but the refresh token is stored in a very insecure way (it was a quick-and-dirty solution!).
I wonder if there is a (relatively simple) to do something like ‘split Oauth2’, where the access and refresh tokens are stored in an offline VM.
My search in the forum did not seem to find much related to this.
Any ideas or suggestions?