Where to Store Token Auth?
Your assessments are pretty close, but you've got some glaring errors I'd like to bring up.
Custom Settings / No Encryption?
You can encrypt the token using the Crypto class if you need to. Just because it doesn't support the Text (Encrypted) data type doesn't mean it's impossible.
Custom Metadata Type / Requires Query
In addition to the same comment about Custom Settings, Custom Metadata does require a query, but these queries do not count against governor limits at all (SOQL row/query limits do not increment). The major con that you missed, though, is that you cannot update a Custom Metadata entry via Apex Code directly, but instead have to leverage a metadata API call instead. This makes it non-trivial to implement in Apex Code/Visualforce/Lightning because of the extra hoops for simply storing a token.
No Auth. Provider
In Lightning Experience, it's under Identity > Auth. Providers, and in Salesforce Classic, it's under Security > Auth. Providers. In either case, you need the Manage Auth. Providers permission. Check your profile settings if you're on a custom profile, or create a permission set for yourself.
Questions
Can Named Credentials be used to support token based authentication?
Yes, that's one of the primary benefits of using Named Credentials.
Is it necessary to set up My Domain in order to do so?
No, I just set up a Facebook OAuth2 connection in a dev org without My Domain configured, so it's clearly not necessary.
Is there really any worry about standard users seeing the token values?
Technically, you should treat the token the same as a password. That said, most users in your system wouldn't know what to do with a token if you told them how to use it, the few that do are probably developers that need to be trusted with these tokens anyways, and anyone that intends harm shouldn't even be an employee, much less someone that can log in with enough permission to see the token.
Is there any benefit to encrypting the token?
In a typical org, there's little need to encrypt the token. As a bonus, Named Credentials seems to store the token in a place that can't be accessed even by admins (not that I could see anywhere), so using NC limits interactions to just programmed interactions and, for developers and admins, execute anonymous scripts. I would personally recommend NC as the preferred form of authentication.
Closing Notes
Named Credentials are purpose-built for OAuth authentication, and should be the preferred means of doing so over all other means. The other techniques exist primarily because they were invented by thousands of developers independently, which salesforce.com obviously noticed, and decided to provide a standardized interface for us to use.
Identity Provider configuration allows salesforce.com to act as an Identity Provider, which means you could log in to services like Twitter, Facebook, or your internal apps using your salesforce.com user login. It's not used for outbound authentication at all.
It might be too much work, but you could put all the code that needs to call the external service with the token into a managed package. Then just expose global methods as required from the managed packages namespace. I.e. One method to update the token and another to perform the callout.
Once the token is only used from within the managed package you can then use either a protected Custom Setting or a Custom Metadata Type that is set to "Only Apex code in the same managed package can see the type".
Some quotes from Storing Sensitive Data
Protected Custom Metadata Types
Within a namespaced managed package, protected custom metadata types are suitable for storing authentication data and other secrets. Custom metadata types can also be updated via the metadata api in the organization that created the type, and can be read (but not updated) at runtime via SOQL code within an apex class in the same namespace as the metadata type.
Protected Custom Settings
Custom settings enable application developers to create custom sets of data, as well as create and associate custom data for an organization, profile, or specific user. However, setting the visibility of the Custom Setting Definition to “Protected” and including it in a managed package ensures that it’s only accessible programmatically via Apex code that exists within your package. Unlike custom metadata types, custom settings can be updated at runtime in your Apex class, but cannot be updated via the Metadata Api.
Choosing between the two approaches will depend on how you want to be able to set the token.
The big trade offs of this approach are:
- not being able to see the debug log output (maybe a security bonus)
- having to maintain the code as a seperate managed package.