I made a tiny change in the go-oauth code you wrote. It is working well for me and I've integrated it as my oauth1 support in my web toolkit. (Seven5 is the toolkit, hoping to push out a new release in the next couple of weeks.)
Anyway, when integrating go-oauth with evernote I found that evernote doesn't supply the oauth_token_secret at the 2nd token exchange. This is a documented behavior on their website, so I suppose they know what they are doing...
Please merge if you want, otherwise I'll leave it in my account.
evernote does use the oauth_token_secret in final token request
I submitted e54801b to allow "" as a secret. Can you test this change and let me know if it works with Evernote?
If a flag is required for Evernote, then the flag should be specified in the Client struct instead of the method parameters. The flag is logically a per-client setting. Specifying the flag in the client avoids breaking existing users of the package.
I did a quick test with e54801b and found that it fixes the problem with Evernote.