Consider cutting down heavy dependencies

[misha-ridge]

x/oauth2 has some churn due to security issues and changes in dependencies.

However the dependencies of x/oauth2 are not so set in stone:

• Heavy cloud.google.com/go is required only for fetching GCE metadata. However the package for fetching metadata is pretty self-contained and can be pulled in.
• Heavy google.golang.org/appengine is required only for Gen1 AppEngine. I haven't investigated how much code is actually used. After removal of these two dependencies, the rest is trivial:
• ~x/net is used in one place to save 5 lines of code.~ (removed in e07593a4c41a489556d019d1ad4d82e9ee66b4a7)
• google/go-cmp is used in one test to save 11 lines of code.

I currently maintain a dependency-less version of x/oauth2 at https://github.com/ridge/oauth2. Here are the patches: https://github.com/golang/oauth2/compare/master...ridge:oauth2:master

The only feature loss is AppEngine Gen1 environment: for expediency I cut it out instead of figuring out if it can be retained.

[fserb]

A thousand times this, please.

[lfittl]

I currently maintain a dependency-less version of x/oauth2 at https://github.com/ridge/auth2. Here are the patches: master...ridge:oauth2:master

FWIW, I got a 404 on that link - looks like the correct link is https://github.com/ridge/oauth2 (with a leading o)

(I just ran into this exact problem thanks to go mod vendor not supporting build constraints, and so even though the appengine file is marked "+build appengine" that doesn't prevent vendoring from pulling it in)

[misha-ridge]

@lfittl Thanks, updated.

[hickford]

Great idea!

A little copying is better than a little dependency

https://go-proverbs.github.io/

[sg0hsmt]

google.golang.org/appengine is imported from two files, both of which have the appengine build tag set.

• google/appengine_gen1.go
• internal/client_appengine.go

However, in appengine Go 1.11, the appengine build tag is no longer used, so these files are now unused and the dependencies can be removed.

refs: #334

[liggitt]

This repo is actually no longer even buildable / testable with go1.11 (it requires go1.17+):

$ go version
go version go1.11.13 linux/amd64

$ go build ./...
# golang.org/x/oauth2/internal
internal/token.go:140:10: lc.v.CompareAndSwap undefined (type atomic.Value has no field or method CompareAndSwap)

$ go test ./...
# github.com/google/go-cmp/cmp
../../../github.com/google/go-cmp/cmp/report_compare.go:249:29: r.Value.ValueX.IsZero undefined (type reflect.Value has no field or method IsZero)
../../../github.com/google/go-cmp/cmp/report_compare.go:249:56: r.Value.ValueY.IsZero undefined (type reflect.Value has no field or method IsZero)
../../../github.com/google/go-cmp/cmp/report_compare.go:251:29: r.Value.ValueX.IsZero undefined (type reflect.Value has no field or method IsZero)
../../../github.com/google/go-cmp/cmp/report_compare.go:253:29: r.Value.ValueY.IsZero undefined (type reflect.Value has no field or method IsZero)
../../../github.com/google/go-cmp/cmp/report_reflect.go:194:9: vv.IsZero undefined (type reflect.Value has no field or method IsZero)
# golang.org/x/oauth2/internal
internal/token.go:140:10: lc.v.CompareAndSwap undefined (type atomic.Value has no field or method CompareAndSwap)
FAIL    golang.org/x/oauth2 [build failed]
FAIL    golang.org/x/oauth2/authhandler [build failed]
FAIL    golang.org/x/oauth2/clientcredentials [build failed]
FAIL    golang.org/x/oauth2/endpoints [build failed]
FAIL    golang.org/x/oauth2/google [build failed]
FAIL    golang.org/x/oauth2/google/downscope [build failed]
FAIL    golang.org/x/oauth2/google/externalaccount [build failed]
FAIL    golang.org/x/oauth2/google/internal/externalaccountauthorizeduser [build failed]
FAIL    golang.org/x/oauth2/google/internal/stsexchange [build failed]
# golang.org/x/oauth2/internal [golang.org/x/oauth2/internal.test]
internal/token.go:140:10: lc.v.CompareAndSwap undefined (type atomic.Value has no field or method CompareAndSwap)
FAIL    golang.org/x/oauth2/internal [build failed]
FAIL    golang.org/x/oauth2/jira [build failed]
ok      golang.org/x/oauth2/jws (cached)
FAIL    golang.org/x/oauth2/jwt [build failed]

I opened https://go-review.googlesource.com/c/oauth2/+/570595 to drop the appengine gen 1 code which is no longer possible to exercise on those Go versions.

[liggitt]

Also opened https://github.com/googleapis/google-cloud-go/pull/9545 which will make the cloud.google.com/go/compute/metadata dependency a zero-dep module.