Made OAuth token verification and user seession cookie retrieval process robust on transient netw...

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
@@ skipping 59 matching lines @@
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "ui/gfx/gl/gl_switches.h"
 
 using content::BrowserThread;
 
 namespace chromeos {
 
 namespace {
 
+// OAuth token verification retry count.
+const int kMaxOAuthTokenVerificationAttemptCount = 5;
+// OAuth token verification retry delay.
+const int kOAuthVerificationRestartDelay = 10000;  // ms
+
 // Affixes for Auth token received from ClientLogin request.
 const char kAuthPrefix[] = "Auth=";
 const char kAuthSuffix[] = "\n";
 
 // Increase logging level for Guest mode to avoid LOG(INFO) messages in logs.
 const char kGuestModeLoggingLevel[] = "1";
 
 // Format of command line switch.
 const char kSwitchFormatString[] = " --%s=\"%s\"";
 
 // User name which is used in the Guest session.
 const char kGuestUserName[] = "";
 
 // The service scope of the OAuth v2 token that ChromeOS login will be
 // requesting.
 // TODO(zelidrag): Figure out if we need to add more services here.
 const char kServiceScopeChromeOS[] =
     "https://www.googleapis.com/auth/chromesync";
 
 const char kServiceScopeChromeOSDeviceManagement[] =
     "https://www.googleapis.com/auth/chromeosdevicemanagement";
 }  // namespace
 
-// Task for fetching tokens from UI thread.
-class StartSyncOnUIThreadTask : public Task {
- public:
-  explicit StartSyncOnUIThreadTask(
-      const GaiaAuthConsumer::ClientLoginResult& credentials)
-      : credentials_(credentials) {}
-  virtual ~StartSyncOnUIThreadTask() {}
-
-  // Task override.
-  virtual void Run() OVERRIDE {
-    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-    LoginUtils::Get()->FetchCookies(ProfileManager::GetDefaultProfile(),
-                                    credentials_);
-    LoginUtils::Get()->StartSync(ProfileManager::GetDefaultProfile(),
-                                 credentials_);
-  }
-
- private:
-  GaiaAuthConsumer::ClientLoginResult credentials_;
-
-  DISALLOW_COPY_AND_ASSIGN(StartSyncOnUIThreadTask);
-};
-
 // Transfers initial set of Profile cookies from the default profile.
 class TransferDefaultCookiesOnIOThreadTask : public Task {
  public:
   TransferDefaultCookiesOnIOThreadTask(
       net::URLRequestContextGetter* auth_context,
       net::URLRequestContextGetter* new_context)
           : auth_context_(auth_context),
             new_context_(new_context) {}
   virtual ~TransferDefaultCookiesOnIOThreadTask() {}
 
@@ skipping 47 matching lines @@
         http_transaction_factory()->GetSession()->http_auth_cache());
   }
 
  private:
   net::URLRequestContextGetter* auth_context_;
   net::URLRequestContextGetter* new_context_;
 
   DISALLOW_COPY_AND_ASSIGN(TransferDefaultAuthCacheOnIOThreadTask);
 };
 
-// Verifies OAuth1 access token by performing OAuthLogin.
-class OAuthLoginVerifier : public GaiaOAuthConsumer {
+// Verifies OAuth1 access token by performing OAuthLogin. Fetches user cookies
+// on successful OAuth authentication.
+class OAuthLoginVerifier : public base::SupportsWeakPtr<OAuthLoginVerifier>,
+                           public GaiaOAuthConsumer,
+                           public GaiaAuthConsumer {
  public:
-  OAuthLoginVerifier(Profile* user_profile,
+  class Delegate {
+   public:
+    virtual ~Delegate() {}
+    virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
+                                              const std::string& sid,
+                                              const std::string& lsid,
+                                              const std::string& auth) {}
+    virtual void OnOAuthVerificationFailed(const std::string& user_name) {}
+    virtual void OnUserCookiesFetchSucceeded(const std::string& user_name) {}
+    virtual void OnUserCookiesFetchFailed(const std::string& user_name) {}
+  };
+
+  OAuthLoginVerifier(OAuthLoginVerifier::Delegate* delegate,
+                     Profile* user_profile,
                      const std::string& oauth1_token,
                      const std::string& oauth1_secret,
                      const std::string& username)
-      : oauth_fetcher_(this,
+      : delegate_(delegate),
+        oauth_fetcher_(this,
             user_profile->GetOffTheRecordProfile()->GetRequestContext(),
             user_profile->GetOffTheRecordProfile(),
             kServiceScopeChromeOS),
+        gaia_fetcher_(this,
+            std::string(GaiaConstants::kChromeOSSource),
+            user_profile->GetRequestContext()),
         oauth1_token_(oauth1_token),
         oauth1_secret_(oauth1_secret),
-        username_(username) {
+        username_(username),
+        user_profile_(user_profile),
+        verification_count_(0),
+        step_(VERIFICATION_STEP_UNVERIFIED) {
   }
   virtual ~OAuthLoginVerifier() {}
 
-  void Start() {
+  bool is_done() {
+    return step_ == VERIFICATION_STEP_FAILED ||
+           step_ == VERIFICATION_STEP_COOKIES_FETCHED;
+  }
+
+  void StartOAuthVerification() {
     if (oauth1_token_.empty() || oauth1_secret_.empty()) {
       // Empty OAuth1 access token or secret probably means that we are
       // dealing with a legacy ChromeOS account. This should be treated as
       // invalid/expired token.
       OnOAuthLoginFailure(GoogleServiceAuthError(
           GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
     } else {
       oauth_fetcher_.StartOAuthLogin(GaiaConstants::kChromeOSSource,
                                      GaiaConstants::kPicasaService,
                                      oauth1_token_,
                                      oauth1_secret_);
     }
   }
 
+  void ContinueVerification() {
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    // Check if we have finished with this one already.
+    if (is_done())
+      return;
+
+    if (user_profile_ != ProfileManager::GetDefaultProfile())
+      return;
+
+    // Check if we currently trying to fetch something.
+    if (oauth_fetcher_.HasPendingFetch() || gaia_fetcher_.HasPendingFetch())
+      return;
+
+    if (CrosLibrary::Get()->EnsureLoaded()) {
+      // Delay the verification if the network is not connected or on a captive
+      // portal.
+      const Network* network =
+          CrosLibrary::Get()->GetNetworkLibrary()->active_network();
+      if (!network || !network->connected() || network->restricted_pool()) {
+        BrowserThread::PostDelayedTask(BrowserThread::UI, FROM_HERE,
+            base::Bind(&OAuthLoginVerifier::ContinueVerification, AsWeakPtr()),
+            kOAuthVerificationRestartDelay);

[Nikita (slow), 2011/11/22 09:14:39]

verification_count_ is increased below this block.
If user is constantly offline, we'll be scheduling ContinueVerification() each
10s.

Since we also have handler for OnOnlineStateChanged(), verification_count_++
should be moved before this block.

[Nikita (slow), 2011/11/22 09:21:56]

Reading it differently, I think that initial idea was to ignore any verification
errors when network is not connected / in captive portal.

I think scheduling ContinueVerification() in block 254-256 might be omitted and
rely on OnOnlineStateChanged() handler. From there on verification_count_ will
be increased since online == true already.

+        return;
+      }
+    }
+
+    verification_count_++;
+    if (step_ == VERIFICATION_STEP_UNVERIFIED) {
+      DVLOG(1) << "Retrying to verify OAuth1 access tokens.";
+      StartOAuthVerification();
+    } else {
+      DVLOG(1) << "Retrying to fetch user cookies.";
+      StartCookiesRetreival();
+    }
+  }
+
+ private:
+  typedef enum {
+    VERIFICATION_STEP_UNVERIFIED,
+    VERIFICATION_STEP_OAUTH_VERIFIED,
+    VERIFICATION_STEP_COOKIES_FETCHED,
+    VERIFICATION_STEP_FAILED,
+  } VerificationStep;
+
+  // Kicks off GAIA session cookie retreival process.
+  void StartCookiesRetreival() {
+    DCHECK(!sid_.empty());
+    DCHECK(!lsid_.empty());
+    gaia_fetcher_.StartIssueAuthToken(sid_, lsid_, GaiaConstants::kGaiaService);
+  }
+
+  // Decides how to proceed on GAIA response and other errors. It can schedule
+  // to rerun the verification process if detects transient network or service
+  // errors.
+  bool RetryOnError(const GoogleServiceAuthError& error) {
+    // If we can't connect to GAIA due to network or service related reasons,
+    // we should attempt OAuth token verification again.
+    if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED ||
+        error.state() == GoogleServiceAuthError::SERVICE_UNAVAILABLE) {
+      if (verification_count_ < kMaxOAuthTokenVerificationAttemptCount) {
+        BrowserThread::PostDelayedTask(BrowserThread::UI, FROM_HERE,
+            base::Bind(&OAuthLoginVerifier::ContinueVerification, AsWeakPtr()),
+            kOAuthVerificationRestartDelay);
+        return true;
+      }
+    }
+    step_ = VERIFICATION_STEP_FAILED;
+    return false;
+  }
+
   // GaiaOAuthConsumer implementation:
   virtual void OnOAuthLoginSuccess(const std::string& sid,
                                    const std::string& lsid,
                                    const std::string& auth) OVERRIDE {
-    GaiaAuthConsumer::ClientLoginResult credentials(
-        sid, lsid, auth, std::string());
-    UserManager::Get()->set_offline_login(false);
-    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                            new StartSyncOnUIThreadTask(credentials));
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    step_ = VERIFICATION_STEP_OAUTH_VERIFIED;
+    verification_count_ = 0;
+    sid_ = sid;
+    lsid_ = lsid;
+    delegate_->OnOAuthVerificationSucceeded(username_, sid, lsid, auth);
+    StartCookiesRetreival();
   }
 
   virtual void OnOAuthLoginFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed to verify OAuth1 access tokens, error: "
-                 << error.state();
-
-    // Mark this account's OAuth token state as invalid if the failure is not
-    // caused by network error.
-    if (error.state() != GoogleServiceAuthError::CONNECTION_FAILED) {
-      UserManager::Get()->SaveUserOAuthStatus(username_,
-                                              User::OAUTH_TOKEN_STATUS_INVALID);
-    } else {
-      UserManager::Get()->set_offline_login(true);
-    }
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    LOG(WARNING) << "Failed to verify OAuth1 access tokens,"
+                 << " error.state=" << error.state();
+    if (!RetryOnError(error))
+      delegate_->OnOAuthVerificationFailed(username_);
   }
 
- private:
-  GaiaOAuthFetcher oauth_fetcher_;
-  std::string oauth1_token_;
-  std::string oauth1_secret_;
-  std::string username_;
-
-  DISALLOW_COPY_AND_ASSIGN(OAuthLoginVerifier);
-};
-
-// Verifies OAuth1 access token by performing OAuthLogin.
-class UserSessionCookieFetcher : public GaiaAuthConsumer {
- public:
-  explicit UserSessionCookieFetcher(Profile* user_profile)
-      : gaia_fetcher_(this,
-                      std::string(GaiaConstants::kChromeOSSource),
-                      user_profile->GetRequestContext()) {
-  }
-  virtual ~UserSessionCookieFetcher() {}
-
-  void Start(const GaiaAuthConsumer::ClientLoginResult& credentials) {
-    gaia_fetcher_.StartIssueAuthToken(credentials.sid, credentials.lsid,
-                                      GaiaConstants::kGaiaService);
+  void OnCookueFetchFailed(const GoogleServiceAuthError& error) {

[Nikita (slow), 2011/11/22 09:14:39]

nit: fix spelling OnCookieFetchFailed

+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    if (!RetryOnError(error))
+      delegate_->OnUserCookiesFetchFailed(username_);
   }
 
   // GaiaAuthConsumer overrides.
   virtual void OnIssueAuthTokenSuccess(const std::string& service,
                                        const std::string& auth_token) OVERRIDE {
     gaia_fetcher_.StartMergeSession(auth_token);
   }
 
   virtual void OnIssueAuthTokenFailure(const std::string& service,
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed IssueAuthToken request, error: " << error.state();
-    HandlerGaiaAuthError(error);
-    delete this;
+    DVLOG(1) << "Failed IssueAuthToken request,"
+             << " error.state=" << error.state();
+    OnCookueFetchFailed(error);
   }
 
   virtual void OnMergeSessionSuccess(const std::string& data) OVERRIDE {
-    VLOG(1) << "MergeSession successful.";
-    delete this;
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    DVLOG(1) << "MergeSession successful.";
+    step_ = VERIFICATION_STEP_COOKIES_FETCHED;
+    delegate_->OnUserCookiesFetchSucceeded(username_);
   }
 
   virtual void OnMergeSessionFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed MergeSession request, error: " << error.state();
-    HandlerGaiaAuthError(error);
-    delete this;
+    DVLOG(1) << "Failed MergeSession request,"
+             << " error.state=" << error.state();
+    OnCookueFetchFailed(error);
   }
 
- private:
-  void HandlerGaiaAuthError(const GoogleServiceAuthError& error) {
-    // Mark this account's login state as offline if we encountered a network
-    // error. That will make us verify user OAuth token and try to fetch session
-    // cookies again once we detect that the machine comes online.
-    if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED)
-      UserManager::Get()->set_offline_login(true);
-  }
+  OAuthLoginVerifier::Delegate* delegate_;
+  GaiaOAuthFetcher oauth_fetcher_;
+  GaiaAuthFetcher gaia_fetcher_;
+  std::string oauth1_token_;
+  std::string oauth1_secret_;
+  std::string sid_;
+  std::string lsid_;
+  std::string username_;
+  Profile* user_profile_;
+  int verification_count_;
+  VerificationStep step_;
 
-  GaiaAuthFetcher gaia_fetcher_;
-  DISALLOW_COPY_AND_ASSIGN(UserSessionCookieFetcher);
+  DISALLOW_COPY_AND_ASSIGN(OAuthLoginVerifier);
 };
 
 // Fetches the oauth token for the device management service. Since Profile
 // creation might be blocking on a user policy fetch, this fetcher must always
 // send a (possibly empty) token to the BrowserPolicyConnector, which will then
 // let the policy subsystem proceed and resume Profile creation.
 // Sending the token even when no Profile is pending is also OK.
 class PolicyOAuthFetcher : public GaiaOAuthConsumer {
  public:
   // Fetches the device management service's oauth token using |oauth1_token|
@@ skipping 138 matching lines @@
 
   int pid_;
   std::string command_line_;
   PrefService* local_state_;
   base::OneShotTimer<JobRestartRequest> timer_;
 };
 
 class LoginUtilsImpl : public LoginUtils,
                        public ProfileManagerObserver,
                        public GaiaOAuthConsumer,
+                       public OAuthLoginVerifier::Delegate,
                        public net::NetworkChangeNotifier::OnlineStateObserver {
  public:
   LoginUtilsImpl()
       : background_view_(NULL),
         pending_requests_(false),
         using_oauth_(false),
         has_cookies_(false),
         delegate_(NULL),
         job_restart_request_(NULL) {
     net::NetworkChangeNotifier::AddOnlineStateObserver(this);
   }
 
   virtual ~LoginUtilsImpl() {
     net::NetworkChangeNotifier::RemoveOnlineStateObserver(this);
   }
 
   // LoginUtils implementation:
   virtual void PrepareProfile(
       const std::string& username,
       const std::string& password,
       const GaiaAuthConsumer::ClientLoginResult& credentials,
       bool pending_requests,
       bool using_oauth,
       bool has_cookies,
       LoginUtils::Delegate* delegate) OVERRIDE;
-  virtual void DelegateDeleted(Delegate* delegate) OVERRIDE;
+  virtual void DelegateDeleted(LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void CompleteOffTheRecordLogin(const GURL& start_url) OVERRIDE;
   virtual void SetFirstLoginPrefs(PrefService* prefs) OVERRIDE;
   virtual scoped_refptr<Authenticator> CreateAuthenticator(
       LoginStatusConsumer* consumer) OVERRIDE;
   virtual void PrewarmAuthentication() OVERRIDE;
   virtual void RestoreAuthenticationSession(const std::string& user_name,
                                             Profile* profile) OVERRIDE;
-  virtual void FetchCookies(
-      Profile* profile,
-      const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void StartTokenServices(Profile* user_profile) OVERRIDE;
   virtual void StartSync(
       Profile* profile,
       const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void SetBackgroundView(
       chromeos::BackgroundView* background_view) OVERRIDE;
   virtual chromeos::BackgroundView* GetBackgroundView() OVERRIDE;
   virtual void TransferDefaultCookies(Profile* default_profile,
                                       Profile* new_profile) OVERRIDE;
   virtual void TransferDefaultAuthCache(Profile* default_profile,
                                         Profile* new_profile) OVERRIDE;
 
   // ProfileManagerObserver implementation:
   virtual void OnProfileCreated(Profile* profile, Status status) OVERRIDE;
 
   // GaiaOAuthConsumer overrides.
   virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE;
   virtual void OnGetOAuthTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
   virtual void OnOAuthGetAccessTokenSuccess(const std::string& token,
                                             const std::string& secret) OVERRIDE;
   virtual void OnOAuthGetAccessTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
 
+  // OAuthLoginVerifier::Delegate overrides.
+  virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
+                                            const std::string& sid,
+                                            const std::string& lsid,
+                                            const std::string& auth) OVERRIDE;
+  virtual void OnOAuthVerificationFailed(const std::string& user_name) OVERRIDE;
+
   // net::NetworkChangeNotifier::OnlineStateObserver overrides.
   virtual void OnOnlineStateChanged(bool online) OVERRIDE;
 
   // Given the authenticated credentials from the cookie jar, try to exchange
   // fetch OAuth request, v1 and v2 tokens.
   void FetchOAuth1AccessToken(Profile* auth_profile);
 
  protected:
   virtual std::string GetOffTheRecordCommandLine(
       const GURL& start_url,
@@ skipping 151 matching lines @@
     policy_oauth_fetcher_.reset(
         new PolicyOAuthFetcher(authenticator_->authentication_profile()));
     policy_oauth_fetcher_->Start();
   }
 
   // The default profile will have been changed because the ProfileManager
   // will process the notification that the UserManager sends out.
   ProfileManager::CreateDefaultProfileAsync(this);
 }
 
-void LoginUtilsImpl::DelegateDeleted(Delegate* delegate) {
+void LoginUtilsImpl::DelegateDeleted(LoginUtils::Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
 void LoginUtilsImpl::OnProfileCreated(Profile* user_profile, Status status) {
   CHECK(user_profile);
   switch (status) {
     case STATUS_INITIALIZED:
       break;
     case STATUS_CREATED:
       if (UserManager::Get()->current_user_is_new())
         SetFirstLoginPrefs(user_profile->GetPrefs());
       RespectLocalePreference(user_profile);
       return;
     case STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
-  // Initialize the user-policy backend.
-  if (!using_oauth_) {
-    g_browser_process->browser_policy_connector()->
-        SetUserPolicyTokenService(user_profile->GetTokenService());
-  }
-
-  // We suck. This is a hack since we do not have the enterprise feature
-  // done yet to pull down policies from the domain admin. We'll take this
-  // out when we get that done properly.
-  // TODO(xiyuan): Remove this once enterprise feature is ready.
-  if (EndsWith(username_, "@google.com", true)) {
-    PrefService* pref_service = user_profile->GetPrefs();
-    pref_service->SetBoolean(prefs::kEnableScreenLock, true);
-  }
-
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
     // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
     // used to fetch policies before Profile creation.
     if (policy_oauth_fetcher_.get() &&
         !policy_oauth_fetcher_->oauth1_token().empty()) {
       VLOG(1) << "Resuming profile creation after fetching policy token";
       StoreOAuth1AccessToken(user_profile,
@@ skipping 25 matching lines @@
       VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
     } else {
       // If we don't have it, fetch OAuth1 access token.
       // Use off-the-record profile that was used for this step. It should
       // already contain all needed cookies that will let us skip GAIA's user
       // authentication UI.
       //
       // TODO(rickcam) We should use an isolated App here.
       FetchOAuth1AccessToken(authenticator_->authentication_profile());
     }
-  } else {
-    // Since we're doing parallel authentication, only new user sign in
-    // would perform online auth before calling PrepareProfile.
-    // For existing users there's usually a pending online auth request.
-    // Cookies will be fetched after it's is succeeded.
-    if (!pending_requests_) {
-      FetchCookies(user_profile, credentials_);
-    }
-  }
-
-  if (!using_oauth_) {
-    // We don't need authenticator instance anymore in LoginUtils.
-    // Release it so that ScreenLocker would create a separate instance.
-    // Note that for GAIA WebUI login authenticator instance is reset in
-    // OnOAuthGetAccessTokenSuccess(...).
-    authenticator_ = NULL;
-  }
-
-  // Supply credentials for sync and others to use. Load tokens from disk.
-  if (!using_oauth_) {
-    // For existing users there's usually a pending online auth request.
-    // Tokens will be fetched after it's is succeeded.
-    if (!pending_requests_)
-      StartSync(user_profile, credentials_);
   }
 
   // Own TPM device if, for any reason, it has not been done in EULA
   // wizard screen.
   if (system::runtime_environment::IsRunningOnChromeOS()) {
     CryptohomeLibrary* cryptohome = CrosLibrary::Get()->GetCryptohomeLibrary();
     btl->AddLoginTimeMarker("TPMOwn-Start", false);
     if (cryptohome->TpmIsEnabled() && !cryptohome->TpmIsBeingOwned()) {
       if (cryptohome->TpmIsOwned()) {
         cryptohome->TpmClearStoredPassword();
@@ skipping 24 matching lines @@
                                             auth_profile->GetRequestContext(),
                                             auth_profile,
                                             kServiceScopeChromeOS));
   // Let's first get the Oauth request token and OAuth1 token+secret.
   // Once we get that, we will kick off individual requests for OAuth2 tokens
   // for all our services.
   oauth_fetcher_->SetAutoFetchLimit(GaiaOAuthFetcher::OAUTH1_ALL_ACCESS_TOKEN);
   oauth_fetcher_->StartGetOAuthTokenRequest();
 }
 
-void LoginUtilsImpl::FetchCookies(Profile* user_profile,
-    const GaiaAuthConsumer::ClientLoginResult& credentials) {
-  if (!using_oauth_) {
-    // Take the credentials passed in and try to exchange them for
-    // full-fledged Google authentication cookies.  This is
-    // best-effort; it's possible that we'll fail due to network
-    // troubles or some such.
-    // CookieFetcher will delete itself once done.
-    CookieFetcher* cf = new CookieFetcher(user_profile);
-    cf->AttemptFetch(credentials.data);
-  } else {
-    UserSessionCookieFetcher* cf =
-        new UserSessionCookieFetcher(user_profile);
-    cf->Start(credentials);
-  }
-}
-
 void LoginUtilsImpl::StartTokenServices(Profile* user_profile) {
   std::string oauth1_token;
   std::string oauth1_secret;
   if (!ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
     return;
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), oauth1_token,
                        oauth1_secret);
 }
 
@@ skipping 362 matching lines @@
   // Kick off verification of OAuth1 access token (via OAuthLogin), this should
   // let us fetch credentials that will be used to initialize sync engine.
   FetchCredentials(user_profile, token, secret);
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), token, secret);
 }
 
 void LoginUtilsImpl::FetchCredentials(Profile* user_profile,
                                       const std::string& token,
                                       const std::string& secret) {
-  oauth_login_verifier_.reset(new OAuthLoginVerifier(user_profile,
+  oauth_login_verifier_.reset(new OAuthLoginVerifier(this,
+                                                     user_profile,
                                                      token,
                                                      secret,
                                                      username_));
-  oauth_login_verifier_->Start();
+  oauth_login_verifier_->StartOAuthVerification();
 }
 
 
 void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
                                       const std::string& token,
                                       const std::string& secret) {
   // Fetch dm service token now, if it hasn't been fetched yet.
   if (!policy_oauth_fetcher_.get() || policy_oauth_fetcher_->failed()) {
     // Trigger oauth token fetch for user policy.
     policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
                                                        token,
                                                        secret));
     policy_oauth_fetcher_->Start();
   }
 
   // TODO(zelidrag): We should add initialization of other services somewhere
   // here as well. This could be handled with TokenService class once it is
   // ready to handle OAuth tokens.
 
   // We don't need authenticator instance any more, reset it so that
   // ScreenLocker would create a separate instance.
   // TODO(nkostylev): There's a potential race if SL would be created before
   // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
+void LoginUtilsImpl::OnOAuthVerificationFailed(const std::string& user_name) {
+  UserManager::Get()->SaveUserOAuthStatus(user_name,
+                                          User::OAUTH_TOKEN_STATUS_INVALID);
+}
+
+void LoginUtilsImpl::OnOAuthVerificationSucceeded(
+    const std::string& user_name, const std::string& sid,
+    const std::string& lsid, const std::string& auth) {
+  // Kick off sync engine.
+  GaiaAuthConsumer::ClientLoginResult credentials(sid, lsid, auth,
+                                                  std::string());
+  StartSync(ProfileManager::GetDefaultProfile(), credentials);
+}
+
+
 void LoginUtilsImpl::OnOnlineStateChanged(bool online) {
   // If we come online for the first time after successful offline login,
   // we need to kick of OAuth token verification process again.
-  if (UserManager::Get()->user_is_logged_in() &&
-      UserManager::Get()->offline_login() && online) {
-    KickStartAuthentication(ProfileManager::GetDefaultProfile());
+  if (online && UserManager::Get()->user_is_logged_in() &&
+      oauth_login_verifier_.get() &&
+      !oauth_login_verifier_->is_done()) {
+    oauth_login_verifier_->ContinueVerification();
   }
 }
 
 LoginUtils* LoginUtils::Get() {
   return LoginUtilsWrapper::GetInstance()->get();
 }
 
 void LoginUtils::Set(LoginUtils* mock) {
   LoginUtilsWrapper::GetInstance()->reset(mock);
 }
@@ skipping 20 matching lines @@
   // Mark login host for deletion after browser starts.  This
   // guarantees that the message loop will be referenced by the
   // browser before it is dereferenced by the login host.
   if (login_host) {
     login_host->OnSessionStart();
     login_host = NULL;
   }
 }
 
 }  // namespace chromeos