Как спроектировать auth service с OAuth2 на Go?

Endpoints: /authorize, /token, /userinfo. Flows: authorization code (web), PKCE (SPA/mobile), client credentials (service-to-service). JWT access token (short-lived, 15min), refresh token (long-lived, в БД). Token introspection для resource servers. Session storage: Redis. Password hashing: bcrypt/argon2. Rate limiting на login. MFA: TOTP через Google Authenticator.