I managed to set up OAuth2 login using passport-oauth2.

In the verify function, I receive an accessToken and a refreshToken. (Equivalent to token and tokenSecret in other examples.)

                verify: function(accessToken, refreshToken, profile, done) {
                    done(null, { username: "Admin"});
                }

What is the best way to make this info available to running flows? I need the access token to make further API requests on a REST api that the authenticating service provides.

Should I just save it to a json file on disk?

I'm not using OAuth2 but I also get authentication tokens from another authentication service and I'm saving/retreiving them from the flow context along with their expirancy date.
You can probably do the same with your OAuth2 tokens.

@Barbudor Thanks, but the verify function is defined in settings.js, not in a flow. The question is, how do I transfer the tokens into the active runtime from code running under settings.js.

See this example: Securing Node-RED : Node-RED

Ah ok.
Still, it may be possible that the context functions are available in settings.js.
May be you can try a global.set("token", token) in your verify function ?