Modify experimental identity flow to display scope descriptions and details.

chrome/browser/extensions/api/identity/identity_api.cc

Index: chrome/browser/extensions/api/identity/identity_api.cc
diff --git a/chrome/browser/extensions/api/identity/identity_api.cc b/chrome/browser/extensions/api/identity/identity_api.cc
index 5bb8c840dfd697e63a01be59076fce2738408dc4..91bd730a05cf6f62f306819956eb4e6623ac48cc 100644
--- a/chrome/browser/extensions/api/identity/identity_api.cc
+++ b/chrome/browser/extensions/api/identity/identity_api.cc
@@ -6,6 +6,7 @@
 
 #include "base/values.h"
 #include "chrome/browser/extensions/extension_function_dispatcher.h"
+#include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/signin/token_service.h"
 #include "chrome/browser/signin/token_service_factory.h"
 #include "chrome/browser/ui/browser.h"
@@ -20,6 +21,8 @@ namespace {
 const char kInvalidClientId[] = "Invalid OAuth2 Client ID.";
 const char kInvalidScopes[] = "Invalid OAuth2 scopes.";
 const char kInvalidRedirect[] = "Did not redirect to the right URL.";
+const char kAuthFailure[] = "OAuth2 request failed: ";
+const char kGrantRevoked[] = "OAuth2 not granted or revoked.";
 
 }  // namespace
 
@@ -44,7 +47,7 @@ bool GetAuthTokenFunction::RunImpl() {
 
   TokenService* token_service = TokenServiceFactory::GetForProfile(profile());
 
-  flow_.reset(new OAuth2MintTokenFlow(
+  flow_ = new OAuth2MintTokenFlow(
       profile()->GetRequestContext(),
       this,
       OAuth2MintTokenFlow::Parameters(
@@ -52,7 +55,14 @@ bool GetAuthTokenFunction::RunImpl() {
           extension->id(),
           oauth2_info.client_id,
           oauth2_info.scopes,
-          OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE)));
+#if defined(TOOLKIT_GTK)
+          // Do not force on Linux. We will re-prompt for authorization.
+          OAuth2MintTokenFlow::MODE_MINT_TOKEN_NO_FORCE));

[Evan Stade, 2012/06/22 00:46:56]

so, correct the parts that are wrong, but this is what I figure:

In cases where the user is logged in, but regardless of whether they've ever
seen an OAuth2 permissions dialog, using FORCE here silently records the grant
and mints a token without prompting the user. Obviously we want to prompt the
user, so we want NO_FORCE on all platforms, but only after we have implemented
[re]prompting the user for the grant.

+#else
+          // For now, silently force the token. The user will never see the
+          // scopes they are granting.
+          OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE));
+#endif
   flow_->Start();
 
   return true;
@@ -66,7 +76,25 @@ void GetAuthTokenFunction::OnMintTokenSuccess(const std::string& access_token) {
 
 void GetAuthTokenFunction::OnMintTokenFailure(
     const GoogleServiceAuthError& error) {
-  error_ = error.ToString();
+  error_ = std::string(kAuthFailure) + error.ToString();
+  SendResponse(false);
+  Release();  // Balanced in RunImpl.
+}
+
+void GetAuthTokenFunction::OnIssueAdviceSuccess(const IssueAdviceInfo& issues) {
+  // Existing grant was revoked, so we got info back instead.
+  error_ = kGrantRevoked;
+
+  // Remove the oauth2 scopes from the extension's granted permissions, if
+  // revoked server-side.
+  scoped_refptr<ExtensionPermissionSet> scopes =
+      new ExtensionPermissionSet(
+          GetExtension()->GetActivePermissions()->scopes());
+  profile()->GetExtensionService()->extension_prefs()->RemoveGrantedPermissions(
+      GetExtension()->id(), scopes);
+
+  // TODO(estade): need to prompt the user for scope permissions.

[Evan Stade, 2012/06/22 00:46:56]

It's not clear to me we'd want to prompt automatically. This could lead to some
annoying behavior (e.g. a background script tries to grab a token, but is
blocked, and the user is interrupted while they are trying to do something
else). I'm more inclined to make the runtime prompting be available via a
different API call that can only be triggered by a user action.

+
   SendResponse(false);
   Release();  // Balanced in RunImpl.
 }