I figured it out. The Microsoft.TeamFoundation.Client.TfsClientCredentialStorage has what I'm looking for. I put all the example code in a F# script as a gist. I'll copy it here as well:
#r "Microsoft.TeamFoundation.Client"
#r "Microsoft.VisualStudio.Services.Common"
#r "System.Net.Http"
open System
open Microsoft.TeamFoundation.Client
// retrieve VssToken
// for the logged in user "IdeUser"
let vssTokenIdeUser = TfsClientCredentialStorage.RetrieveConnectedUserToken()
let tokenStorage = Microsoft.VisualStudio.Services.Common.TokenStorage.VssTokenStorageFactory.GetTokenStorageNamespace "VisualStudio"
let vssTokens = tokenStorage.RetrieveAll "VssApp" |> Array.ofSeq
for t in vssTokens do
printfn "%s %s %s %s" t.Resource t.Type (t.GetProperty "UserId") (t.GetProperty "UserName")
// create a TfsClientCredentials by retrieving an IssuedToken
let ccs = TfsClientCredentialStorage()
let ct = ccs.RetrieveToken(Uri "https://ctaggart.visualstudio.com", Microsoft.VisualStudio.Services.Common.VssCredentialsType.Federated) :?> CookieToken
let cc = CookieCredential(false, ct)
let tcc = TfsClientCredentials cc
// use the TfsClientCredentials to authenticate with
let tfs = new TfsTeamProjectCollection(Uri "https://ctaggart.visualstudio.com/DefaultCollection", tcc)
tfs.Authenticate()