OAuth2 sign-in flow for ChromeOS

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "ash/ash_switches.h"
@@ skipping 21 matching lines @@
 #include "chrome/browser/chromeos/boot_times_loader.h"
 #include "chrome/browser/chromeos/cros/cert_library.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/input_method/input_method_configuration.h"
 #include "chrome/browser/chromeos/input_method/input_method_manager.h"
 #include "chrome/browser/chromeos/input_method/input_method_util.h"
 #include "chrome/browser/chromeos/login/language_switch_menu.h"
 #include "chrome/browser/chromeos/login/login_display_host.h"
+#include "chrome/browser/chromeos/login/login_manager.h"
+#include "chrome/browser/chromeos/login/oauth1_login_verifier.h"
 #include "chrome/browser/chromeos/login/oauth1_token_fetcher.h"
-#include "chrome/browser/chromeos/login/oauth_login_verifier.h"
+#include "chrome/browser/chromeos/login/oauth2_login_verifier.h"
+#include "chrome/browser/chromeos/login/oauth2_token_fetcher.h"
 #include "chrome/browser/chromeos/login/parallel_authenticator.h"
 #include "chrome/browser/chromeos/login/policy_oauth_fetcher.h"
 #include "chrome/browser/chromeos/login/profile_auth_data.h"
 #include "chrome/browser/chromeos/login/screen_locker.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/chromeos/settings/cros_settings_names.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/first_run/first_run.h"
 #include "chrome/browser/google/google_util_chromeos.h"
@@ skipping 21 matching lines @@
 #include "chrome/common/pref_names.h"
 #include "chrome/common/url_constants.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/common/content_switches.h"
 #include "google_apis/gaia/gaia_auth_consumer.h"
+#include "google_apis/gaia/gaia_constants.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "googleurl/src/gurl.h"
 #include "media/base/media_switches.h"
 #include "net/base/network_change_notifier.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "ui/base/ui_base_switches.h"
 #include "ui/compositor/compositor_switches.h"
 #include "ui/gfx/switches.h"
 #include "ui/gl/gl_switches.h"
@@ skipping 78 matching lines @@
 
   int pid_;
   std::string command_line_;
   PrefService* local_state_;
   base::OneShotTimer<JobRestartRequest> timer_;
 };
 
 class LoginUtilsImpl
     : public LoginUtils,
       public OAuth1TokenFetcher::Delegate,
-      public OAuthLoginVerifier::Delegate,
+      public OAuth1LoginVerifier::Delegate,
+      public LoginManager::Delegate,
+      public OAuth2TokenFetcher::Delegate,
       public net::NetworkChangeNotifier::ConnectionTypeObserver,
       public content::NotificationObserver,
       public base::SupportsWeakPtr<LoginUtilsImpl> {
  public:
   LoginUtilsImpl()
       : pending_requests_(false),
         using_oauth_(false),
+        force_oauth2_(CommandLine::ForCurrentProcess()->HasSwitch(
+            ::switches::kForceOAuth2)),
         has_web_auth_cookies_(false),
         delegate_(NULL),
         job_restart_request_(NULL),
         should_restore_auth_session_(false),
         url_request_context_getter_(NULL) {
     net::NetworkChangeNotifier::AddConnectionTypeObserver(this);
     // During tests, the browser_process may not be initialized yet causing
     // this to fail.
     if (g_browser_process) {
       registrar_.Add(
@@ skipping 19 matching lines @@
       bool has_cookies,
       LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void DelegateDeleted(LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void CompleteOffTheRecordLogin(const GURL& start_url) OVERRIDE;
   virtual void SetFirstLoginPrefs(PrefService* prefs) OVERRIDE;
   virtual scoped_refptr<Authenticator> CreateAuthenticator(
       LoginStatusConsumer* consumer) OVERRIDE;
   virtual void PrewarmAuthentication() OVERRIDE;
   virtual void RestoreAuthenticationSession(Profile* profile) OVERRIDE;
   virtual void StartTokenServices(Profile* user_profile) OVERRIDE;
-  virtual void StartSignedInServices(
-      Profile* profile,
-      const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void StopBackgroundFetchers() OVERRIDE;
   virtual void InitRlzDelayed(Profile* user_profile) OVERRIDE;
   virtual void CompleteProfileCreate(Profile* user_profile) OVERRIDE;
 
   // OAuth1TokenFetcher::Delegate overrides.
   void OnOAuth1AccessTokenAvailable(const std::string& token,
                                     const std::string& secret) OVERRIDE;
   void OnOAuth1AccessTokenFetchFailed() OVERRIDE;
 
-  // OAuthLoginVerifier::Delegate overrides.
-  virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
-                                            const std::string& sid,
-                                            const std::string& lsid,
-                                            const std::string& auth) OVERRIDE;
-  virtual void OnOAuthVerificationFailed(const std::string& user_name) OVERRIDE;
+  // OAuth1LoginVerifier::Delegate overrides.
+  virtual void OnOAuth1VerificationSucceeded(const std::string& user_name,
+                                             const std::string& sid,
+                                             const std::string& lsid,
+                                             const std::string& auth) OVERRIDE;
+  virtual void OnOAuth1VerificationFailed(
+      const std::string& user_name) OVERRIDE;
+
+  // LoginManager::Delegate overrides.
+  virtual void OnOAuth2RefreshTokenLoaded(Profile* profile,
+                             const std::string& refresh_token) OVERRIDE;
+  virtual void OnOAuth2RefreshTokenFetchFailed(Profile* profile,
+                                  const std::string& service) OVERRIDE;
+  virtual void OnCookiesRestoreSuccess(Profile* profile) OVERRIDE;
+  virtual void OnCookiesRestoreFailure(Profile* profile) OVERRIDE;
+
+  // OAuth2TokenFetcher::Delegate overrides.
+  virtual void OnOAuth2TokenAvailable(
+      const GaiaAuthConsumer::ClientLoginResult& gaia_credentials,
+      const GaiaAuthConsumer::ClientOAuthResult& oauth2_tokens) OVERRIDE;
+  virtual void OnOAuth2TokenFetchFailed() OVERRIDE;
 
   // net::NetworkChangeNotifier::ConnectionTypeObserver overrides.
   virtual void OnConnectionTypeChanged(
       net::NetworkChangeNotifier::ConnectionType type) OVERRIDE;
 
   // content::NotificationObserver overrides.
   virtual void Observe(int type,
                        const content::NotificationSource& source,
                        const content::NotificationDetails& details) OVERRIDE;
 
@@ skipping 22 matching lines @@
                                const std::string& token,
                                const std::string& secret);
 
   // Fetch all secondary (OAuth2) tokens given OAuth1 access |token| and
   // |secret|.
   void FetchSecondaryTokens(Profile* offrecord_profile,
                             const std::string& token,
                             const std::string& secret);
 
   // Fetch user credentials (sid/lsid) given OAuth1 access |token| and |secret|.
-  void FetchCredentials(Profile* user_profile,
-                        const std::string& token,
-                        const std::string& secret);
+  void FetchCredentialsWithOAuth1(Profile* user_profile,
+                                  const std::string& token,
+                                  const std::string& secret);
 
   // Fetch enterprise policy OAuth2 given OAuth1 access |token| and |secret|.
   void FetchPolicyToken(Profile* offrecord_profile,
                         const std::string& token,
                         const std::string& secret);
 
   // Check user's profile for kApplicationLocale setting.
   void RespectLocalePreference(Profile* pref);
 
+  // Returns true if the OAuth2 refresh token and its previously checked value
+  // (during token-to-cookies exchange) is known to be valid.
+  bool IsOAuth2RefreshTokenValid(Profile* user_profile,
+                                 const std::string& oauth2_refresh_token);
+
   // Initializes basic preferences for newly created profile.
   void InitProfilePreferences(Profile* user_profile);
 
   // Callback for asynchronous profile creation.
   void OnProfileCreated(Profile* profile,
                         Profile::CreateStatus status);
 
   // Finalized profile preparation.
   void FinalizePrepareProfile(Profile* user_profile);
 
-  // Restores GAIA auth cookies for the created profile.
-  void RestoreAuthCookies(Profile* user_profile);
+  // Restores GAIA auth cookies for the created user profile from OAuth1 token.
+  void RestoreCookiesFromOAuth1Token(Profile* user_profile);
+
+  // Restores GAIA auth cookies for the created user profile from OAuth2 token.
+  void RestoreCookiesFromTokenService(Profile* user_profile);
+
+  // Removed deprecated OAuth1 token and secret form preference store.
+  void RemoveOAuth1Tokens(Profile* user_profile);
 
   // Initializes RLZ. If |disabled| is true, RLZ pings are disabled.
   void InitRlz(Profile* user_profile, bool disabled);
 
+  // Initializes and starts TokenSerivice credentials with OAuth2 tokens.
+  void PrepareTokenServiceWithOAuth2(
+      Profile* profile,
+      const GaiaAuthConsumer::ClientLoginResult& credentials,
+      const GaiaAuthConsumer::ClientOAuthResult& oauth2_tokens);
+
+  // Initializes and starts TokenSerivice credentials with GAIA credentials.
+  void PrepareTokenService(
+      Profile* profile,
+      const GaiaAuthConsumer::ClientLoginResult& credentials);
+
+  // Starts signing related services. Initiates TokenService token retreival.
+  void StartSignedInServices(Profile* profile);
+
   std::string password_;
   bool pending_requests_;
   bool using_oauth_;
+  bool force_oauth2_;
   // True if the authenrication profile's cookie jar should contain
   // authentication cookies from the authentication extension log in flow.
   bool has_web_auth_cookies_;
   // Has to be scoped_refptr, see comment for CreateAuthenticator(...).
   scoped_refptr<Authenticator> authenticator_;
   scoped_ptr<PolicyOAuthFetcher> policy_oauth_fetcher_;
   scoped_ptr<OAuth1TokenFetcher> oauth1_token_fetcher_;
-  scoped_ptr<OAuthLoginVerifier> oauth_login_verifier_;
+  scoped_ptr<OAuth1LoginVerifier> oauth1_login_verifier_;
+
+  scoped_ptr<LoginManager> login_manager_;
+  scoped_ptr<OAuth2TokenFetcher> oauth2_token_fetcher_;
 
   // Delegate to be fired when the profile will be prepared.
   LoginUtils::Delegate* delegate_;
 
   // Used to restart Chrome to switch to the guest mode.
   JobRestartRequest* job_restart_request_;
 
   // True if should restore authentication session when notified about
   // online state change.
   bool should_restore_auth_session_;
@@ skipping 146 matching lines @@
         new PolicyOAuthFetcher(authenticator_->authentication_profile()));
     policy_oauth_fetcher_->Start();
   }
 }
 
 void LoginUtilsImpl::DelegateDeleted(LoginUtils::Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
+bool LoginUtilsImpl::IsOAuth2RefreshTokenValid(
+    Profile* user_profile,
+    const std::string& oauth2_refresh_token) {
+  // Do we have a token?
+  if (oauth2_refresh_token.empty())
+    return false;
+
+  // Did previous token-to-cookie exchange fail?
+  if (UserManager::Get()->IsUserLoggedIn() &&
+      UserManager::Get()->GetLoggedInUser()->oauth_token_status() !=
+          User::OAUTH2_TOKEN_STATUS_VALID) {
+    return false;
+  }
+
+  return true;
+}
+
 void LoginUtilsImpl::InitProfilePreferences(Profile* user_profile) {
+  if (force_oauth2_) {
+  }

[xiyuan, 2013/01/07 23:07:55]

nuke it?

[zel, 2013/01/08 02:05:41]

Done.

+
   if (UserManager::Get()->IsCurrentUserNew())
     SetFirstLoginPrefs(user_profile->GetPrefs());
   // Make sure that the google service username is properly set (we do this
   // on every sign in, not just the first login, to deal with existing
   // profiles that might not have it set yet).
   StringPrefMember google_services_username;
   google_services_username.Init(prefs::kGoogleServicesUsername,
                                 user_profile->GetPrefs());
   google_services_username.SetValue(
       UserManager::Get()->GetLoggedInUser()->display_email());
   // Make sure we flip every profile to not share proxies if the user hasn't
   // specified so explicitly.
   const PrefService::Preference* use_shared_proxies_pref =
       user_profile->GetPrefs()->FindPreference(prefs::kUseSharedProxies);
   if (use_shared_proxies_pref->IsDefaultValue())
     user_profile->GetPrefs()->SetBoolean(prefs::kUseSharedProxies, false);
   policy::NetworkConfigurationUpdater* network_configuration_updater =
       g_browser_process->browser_policy_connector()->
       GetNetworkConfigurationUpdater();
   if (network_configuration_updater)
     network_configuration_updater->OnUserPolicyInitialized();
   RespectLocalePreference(user_profile);
 }
 
 void LoginUtilsImpl::OnProfileCreated(
     Profile* user_profile,
     Profile::CreateStatus status) {
   CHECK(user_profile);
-
   if (delegate_)
     delegate_->OnProfileCreated(user_profile);
 
   switch (status) {
     case Profile::CREATE_STATUS_INITIALIZED:
       break;
     case Profile::CREATE_STATUS_CREATED: {
       InitProfilePreferences(user_profile);
       return;
     }
     case Profile::CREATE_STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
-    // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
-    // used to fetch policies before Profile creation.
-    if (policy_oauth_fetcher_.get() &&
-        !policy_oauth_fetcher_->oauth1_token().empty()) {
-      VLOG(1) << "Resuming profile creation after fetching policy token";
-      StoreOAuth1AccessToken(user_profile,
-                             policy_oauth_fetcher_->oauth1_token(),
-                             policy_oauth_fetcher_->oauth1_secret());
+    if (!force_oauth2_) {
+      // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
+      // used to fetch policies before Profile creation.
+      if (policy_oauth_fetcher_.get() &&
+          !policy_oauth_fetcher_->oauth1_token().empty()) {
+        VLOG(1) << "Resuming profile creation after fetching policy token";
+        StoreOAuth1AccessToken(user_profile,
+                               policy_oauth_fetcher_->oauth1_token(),
+                               policy_oauth_fetcher_->oauth1_secret());
+      }
+    } else {
+      // TODO(mnissler): Figure out what to do here in OAuth2 case.
     }
 
     // Transfer proxy authentication cache, cookies (optionally) and server
     // bound certs from the profile that was used for authentication.  This
     // profile contains cookies that auth extension should have already put in
     // place that will ensure that the newly created session is authenticated
     // for the websites that work with the used authentication schema.
     ProfileAuthData::Transfer(authenticator_->authentication_profile(),
                               user_profile,
                               has_web_auth_cookies_,  // transfer_cookies
                               base::Bind(
                                   &LoginUtilsImpl::CompleteProfileCreate,
                                   AsWeakPtr(),
                                   user_profile));
     return;
   }
 
   FinalizePrepareProfile(user_profile);
 }
 
-void LoginUtilsImpl::RestoreAuthCookies(Profile* user_profile) {
+void LoginUtilsImpl::CompleteProfileCreate(Profile* user_profile) {
+  if (force_oauth2_)
+    RestoreCookiesFromTokenService(user_profile);
+  else
+    RestoreCookiesFromOAuth1Token(user_profile);
+
+  FinalizePrepareProfile(user_profile);
+}
+
+void LoginUtilsImpl::RestoreCookiesFromOAuth1Token(Profile* user_profile) {
   std::string oauth1_token;
   std::string oauth1_secret;
   if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret) ||
       !has_web_auth_cookies_) {
     // Verify OAuth access token when we find it in the profile and always if
     // if we don't have cookies.
     // TODO(xiyuan): Change back to use authenticator to verify token when
     // we support Gaia in lock screen.
     VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
   } else {
     // If we don't have it, fetch OAuth1 access token.
     // Once we get that, we will kick off individual requests for OAuth2
     // tokens for all our services.
     // Use off-the-record profile that was used for this step. It should
     // already contain all needed cookies that will let us skip GAIA's user
     // authentication UI.
     //
     // TODO(rickcam) We should use an isolated App here.
     oauth1_token_fetcher_.reset(
         new OAuth1TokenFetcher(this,
                                authenticator_->authentication_profile()));
     oauth1_token_fetcher_->Start();
   }
 }
 
-void LoginUtilsImpl::CompleteProfileCreate(Profile* user_profile) {
-  RestoreAuthCookies(user_profile);
-  FinalizePrepareProfile(user_profile);
+void LoginUtilsImpl::RemoveOAuth1Tokens(Profile* user_profile) {
+  PrefServiceSyncable* prefs = user_profile->GetPrefs();
+  prefs->RegisterStringPref(prefs::kOAuth1Token,
+                            "",
+                            PrefServiceSyncable::UNSYNCABLE_PREF);
+  prefs->RegisterStringPref(prefs::kOAuth1Secret,
+                            "",
+                            PrefServiceSyncable::UNSYNCABLE_PREF);
+  prefs->ClearPref(prefs::kOAuth1Token);
+  prefs->ClearPref(prefs::kOAuth1Secret);
+  prefs->UnregisterPreference(prefs::kOAuth1Token);
+  prefs->UnregisterPreference(prefs::kOAuth1Secret);
+}
+
+void LoginUtilsImpl::RestoreCookiesFromTokenService(Profile* user_profile) {
+  // Remove legacy OAuth1 token if we have one. If it's valid, we should already
+  // have OAuth2 refresh token in TokenService that could be used to retreive
+  // all other tokens and credentials.
+  RemoveOAuth1Tokens(user_profile);
+
+  if (has_web_auth_cookies_) {
+    // If we have authenticated cookie jar, get OAuth1 token first, then fetch
+    // SID/LSID cookies through OAuthLogin call.
+    oauth2_token_fetcher_.reset(
+        new OAuth2TokenFetcher(this,
+                               authenticator_->authentication_profile()));
+    oauth2_token_fetcher_->Start();
+    return;
+  }
+
+  // If we have no cookies, try to load saved OAuth2 token from TokenService.
+  TokenService* token_service =
+      TokenServiceFactory::GetForProfile(user_profile);
+  token_service->Initialize(GaiaConstants::kChromeSource, user_profile);
+
+  login_manager_.reset(new LoginManager(this, user_profile));
+  token_service->LoadTokensFromDB();
 }
 
 void LoginUtilsImpl::FinalizePrepareProfile(Profile* user_profile) {
   BootTimesLoader* btl = BootTimesLoader::Get();
   // Own TPM device if, for any reason, it has not been done in EULA
   // wizard screen.
   CryptohomeLibrary* cryptohome = CrosLibrary::Get()->GetCryptohomeLibrary();
   btl->AddLoginTimeMarker("TPMOwn-Start", false);
   if (cryptohome->TpmIsEnabled() && !cryptohome->TpmIsBeingOwned()) {
     if (cryptohome->TpmIsOwned()) {
@@ skipping 69 matching lines @@
 void LoginUtilsImpl::StartTokenServices(Profile* user_profile) {
   std::string oauth1_token;
   std::string oauth1_secret;
   if (!ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
     return;
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(),
                        oauth1_token, oauth1_secret);
 }
 
-void LoginUtilsImpl::StartSignedInServices(
+void LoginUtilsImpl::PrepareTokenService(
     Profile* user_profile,
     const GaiaAuthConsumer::ClientLoginResult& credentials) {
+  TokenService* token_service =
+      TokenServiceFactory::GetForProfile(user_profile);
+  token_service->UpdateCredentials(credentials);
+  StartSignedInServices(user_profile);
+}
+
+void LoginUtilsImpl::PrepareTokenServiceWithOAuth2(
+    Profile* user_profile,
+    const GaiaAuthConsumer::ClientLoginResult& credentials,
+    const GaiaAuthConsumer::ClientOAuthResult& oauth2_tokens) {
+  login_manager_.reset(new LoginManager(this, user_profile));
+  TokenService* token_service =
+      TokenServiceFactory::GetForProfile(user_profile);
+  token_service->UpdateCredentialsWithOAuth2(oauth2_tokens);
+  token_service->UpdateCredentials(credentials);
+  StartSignedInServices(user_profile);
+}
+
+void LoginUtilsImpl::StartSignedInServices(Profile* user_profile) {
   // Fetch/Create the SigninManager - this will cause the TokenService to load
   // tokens for the currently signed-in user if the SigninManager hasn't already
   // been initialized.
   SigninManager* signin = SigninManagerFactory::GetForProfile(user_profile);
   DCHECK(signin);
   // Make sure SigninManager is connected to our current user (this should
   // happen automatically because we set kGoogleServicesUsername in
   // OnProfileCreated()).
   DCHECK_EQ(UserManager::Get()->GetLoggedInUser()->display_email(),
             signin->GetAuthenticatedUsername());
@@ skipping 13 matching lines @@
           password_);
       content::NotificationService::current()->Notify(
           chrome::NOTIFICATION_GOOGLE_SIGNIN_SUCCESSFUL,
           content::Source<Profile>(user_profile),
           content::Details<const GoogleServiceSigninSuccessDetails>(&details));
     }
   }
   password_.clear();
   TokenService* token_service =
       TokenServiceFactory::GetForProfile(user_profile);
-  token_service->UpdateCredentials(credentials);
   if (token_service->AreCredentialsValid())
     token_service->StartFetchingTokens();
 }
 
 void LoginUtilsImpl::RespectLocalePreference(Profile* profile) {
   DCHECK(profile != NULL);
   PrefService* prefs = profile->GetPrefs();
   DCHECK(prefs != NULL);
   if (g_browser_process == NULL)
     return;
@@ skipping 302 matching lines @@
 void LoginUtilsImpl::KickStartAuthentication(Profile* user_profile) {
   std::string oauth1_token;
   std::string oauth1_secret;
   if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
     VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
 }
 
 void LoginUtilsImpl::StopBackgroundFetchers() {
   policy_oauth_fetcher_.reset();
   oauth1_token_fetcher_.reset();
-  oauth_login_verifier_.reset();
+  oauth1_login_verifier_.reset();
 }
 
 void LoginUtilsImpl::FetchSecondaryTokens(Profile* offrecord_profile,
                                           const std::string& token,
                                           const std::string& secret) {
   FetchPolicyToken(offrecord_profile, token, secret);
   // TODO(rickcam, zelidrag): Wire TokenService there when it becomes
   // capable of handling OAuth1 tokens directly.
 }
 
 bool LoginUtilsImpl::ReadOAuth1AccessToken(Profile* user_profile,
                                            std::string* token,
                                            std::string* secret) {
   // Skip reading oauth token if user does not have a valid status.
   if (UserManager::Get()->IsUserLoggedIn() &&
       UserManager::Get()->GetLoggedInUser()->oauth_token_status() !=
-      User::OAUTH_TOKEN_STATUS_VALID) {
+          User::OAUTH1_TOKEN_STATUS_VALID) {
     return false;
   }
 
   PrefService* pref_service = user_profile->GetPrefs();
   std::string encoded_token = pref_service->GetString(prefs::kOAuth1Token);
   std::string encoded_secret = pref_service->GetString(prefs::kOAuth1Secret);
   if (!encoded_token.length() || !encoded_secret.length())
     return false;
 
+#ifdef NDEBUG
   std::string decoded_token =
       CrosLibrary::Get()->GetCertLibrary()->DecryptToken(encoded_token);
   std::string decoded_secret =
       CrosLibrary::Get()->GetCertLibrary()->DecryptToken(encoded_secret);
+#else
+  std::string decoded_token = encoded_token;
+  std::string decoded_secret = encoded_secret;

[xiyuan, 2013/01/07 23:07:55]

We probably should do this in CertLibrary::Decrypt/EncryptToken. Let's put a
TODO here.

[zel, 2013/01/08 02:05:41]

Done.

+#endif
+
   if (!decoded_token.length() || !decoded_secret.length())
     return false;
 
   *token = decoded_token;
   *secret = decoded_secret;
   return true;
 }
 
 void LoginUtilsImpl::StoreOAuth1AccessToken(Profile* user_profile,
                                             const std::string& token,
                                             const std::string& secret) {
   // First store OAuth1 token + service for the current user profile...
+#ifdef NDEBUG
   std::string encrypted_token =
       CrosLibrary::Get()->GetCertLibrary()->EncryptToken(token);
   std::string encrypted_secret =
       CrosLibrary::Get()->GetCertLibrary()->EncryptToken(secret);
+#else
+  std::string encrypted_token = token;
+  std::string encrypted_secret = secret;
+#endif
+
   PrefService* pref_service = user_profile->GetPrefs();
   User* user = UserManager::Get()->GetLoggedInUser();
   if (!encrypted_token.empty() && !encrypted_secret.empty()) {
     pref_service->SetString(prefs::kOAuth1Token, encrypted_token);
     pref_service->SetString(prefs::kOAuth1Secret, encrypted_secret);
 
     // ...then record the presence of valid OAuth token for this account in
     // local state as well.
     UserManager::Get()->SaveUserOAuthStatus(
-        user->email(), User::OAUTH_TOKEN_STATUS_VALID);
+        user->email(), User::OAUTH1_TOKEN_STATUS_VALID);
   } else {
     LOG(WARNING) << "Failed to get OAuth1 token/secret encrypted.";
     // Set the OAuth status invalid so that the user will go through full
     // GAIA login next time.
     UserManager::Get()->SaveUserOAuthStatus(
-        user->email(), User::OAUTH_TOKEN_STATUS_INVALID);
+        user->email(), User::OAUTH1_TOKEN_STATUS_INVALID);
   }
 }
 
 void LoginUtilsImpl::VerifyOAuth1AccessToken(Profile* user_profile,
                                              const std::string& token,
                                              const std::string& secret) {
   // Kick off verification of OAuth1 access token (via OAuthLogin), this should
   // let us fetch credentials that will be used to initialize sync engine.
-  FetchCredentials(user_profile, token, secret);
+  FetchCredentialsWithOAuth1(user_profile, token, secret);
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), token, secret);
 }
 
-void LoginUtilsImpl::FetchCredentials(Profile* user_profile,
-                                      const std::string& token,
-                                      const std::string& secret) {
-  oauth_login_verifier_.reset(new OAuthLoginVerifier(
+void LoginUtilsImpl::FetchCredentialsWithOAuth1(Profile* user_profile,
+                                                const std::string& token,
+                                                const std::string& secret) {
+  oauth1_login_verifier_.reset(new OAuth1LoginVerifier(
       this, user_profile, token, secret,
       UserManager::Get()->GetLoggedInUser()->email()));
-  oauth_login_verifier_->StartOAuthVerification();
+  oauth1_login_verifier_->StartOAuthVerification();
 }
 
 
 void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
                                       const std::string& token,
                                       const std::string& secret) {
   // Fetch dm service token now, if it hasn't been fetched yet.
   if (!policy_oauth_fetcher_.get() || policy_oauth_fetcher_->failed()) {
     // Get the default system profile to use with the policy fetching. If there
     // is no |authenticator_| profile, manually load default system profile.
@@ skipping 21 matching lines @@
   // here as well. This could be handled with TokenService class once it is
   // ready to handle OAuth tokens.
 
   // We don't need authenticator instance any more, reset it so that
   // ScreenLocker would create a separate instance.
   // TODO(nkostylev): There's a potential race if SL would be created before
   // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
-void LoginUtilsImpl::OnOAuthVerificationFailed(const std::string& user_name) {
+void LoginUtilsImpl::OnOAuth1VerificationFailed(const std::string& user_name) {
   UserManager::Get()->SaveUserOAuthStatus(user_name,
-                                          User::OAUTH_TOKEN_STATUS_INVALID);
+                                          User::OAUTH1_TOKEN_STATUS_INVALID);
 }
 
 void LoginUtilsImpl::OnOAuth1AccessTokenAvailable(const std::string& token,
                                                   const std::string& secret) {
   Profile* user_profile = ProfileManager::GetDefaultProfile();
   StoreOAuth1AccessToken(user_profile, token, secret);
 
   // Verify OAuth1 token by doing OAuthLogin and fetching credentials. If we
   // have just transfered auth cookies out of authenticated cookie jar, there
   // is no need to try to mint them from OAuth token again.
   VerifyOAuth1AccessToken(user_profile, token, secret);
 }
 
 void LoginUtilsImpl::OnOAuth1AccessTokenFetchFailed() {
   // TODO(kochi): Show failure notification UI here?
   LOG(ERROR) << "Failed to fetch OAuth1 access token.";
   g_browser_process->browser_policy_connector()->RegisterForUserPolicy(
       EmptyString());
 }
 
-void LoginUtilsImpl::OnOAuthVerificationSucceeded(
+void LoginUtilsImpl::OnOAuth1VerificationSucceeded(
     const std::string& user_name, const std::string& sid,
     const std::string& lsid, const std::string& auth) {
   // Kick off sync engine.
   GaiaAuthConsumer::ClientLoginResult credentials(sid, lsid, auth,
                                                   std::string());
-  StartSignedInServices(ProfileManager::GetDefaultProfile(), credentials);
+  PrepareTokenService(ProfileManager::GetDefaultProfile(), credentials);
 }
 
+void LoginUtilsImpl::OnOAuth2TokenAvailable(
+    const GaiaAuthConsumer::ClientLoginResult& gaia_credentials,
+    const GaiaAuthConsumer::ClientOAuthResult& oauth2_tokens) {
+  PrepareTokenServiceWithOAuth2(ProfileManager::GetDefaultProfile(),
+                                gaia_credentials, oauth2_tokens);
+}
+
+void LoginUtilsImpl::OnOAuth2TokenFetchFailed() {
+  UserManager::Get()->SaveUserOAuthStatus(
+      UserManager::Get()->GetLoggedInUser()->email(),
+      User::OAUTH2_TOKEN_STATUS_INVALID);
+}
+
+void LoginUtilsImpl::OnOAuth2RefreshTokenLoaded(
+    Profile* profile, const std::string& oauth2_refresh_token) {
+  // Loaded all tokens but no OAuth2 refresh token found?
+  if (oauth2_refresh_token.empty()) {
+    UserManager::Get()->SaveUserOAuthStatus(
+        UserManager::Get()->GetLoggedInUser()->email(),
+        User::OAUTH2_TOKEN_STATUS_INVALID);
+  }
+}
+
+void LoginUtilsImpl::OnOAuth2RefreshTokenFetchFailed(
+    Profile* profile, const std::string& service) {
+  // Failed to fetch new refresh token through TokenService.
+  UserManager::Get()->SaveUserOAuthStatus(
+      UserManager::Get()->GetLoggedInUser()->email(),
+      User::OAUTH2_TOKEN_STATUS_INVALID);
+}
+
+void LoginUtilsImpl::OnCookiesRestoreSuccess(Profile* profile) {
+  // GAIA auth cookies successfully restored for the current session.
+  UserManager::Get()->SaveUserOAuthStatus(
+      UserManager::Get()->GetLoggedInUser()->email(),
+      User::OAUTH2_TOKEN_STATUS_VALID);
+}
+
+void LoginUtilsImpl::OnCookiesRestoreFailure(Profile* profile) {
+  UserManager::Get()->SaveUserOAuthStatus(
+      UserManager::Get()->GetLoggedInUser()->email(),
+      User::OAUTH2_TOKEN_STATUS_INVALID);
+}
 
 void LoginUtilsImpl::OnConnectionTypeChanged(
     net::NetworkChangeNotifier::ConnectionType type) {
   if (type != net::NetworkChangeNotifier::CONNECTION_NONE &&
       UserManager::Get()->IsUserLoggedIn()) {
-    if (oauth_login_verifier_.get() &&
-        !oauth_login_verifier_->is_done()) {
+    if (oauth1_login_verifier_.get() &&
+        !oauth1_login_verifier_->is_done()) {
       // If we come online for the first time after successful offline login,
       // we need to kick off OAuth token verification process again.
-      oauth_login_verifier_->ContinueVerification();
+      oauth1_login_verifier_->ContinueVerification();
     } else if (should_restore_auth_session_) {
       should_restore_auth_session_ = false;
       Profile* user_profile = ProfileManager::GetDefaultProfile();
       KickStartAuthentication(user_profile);
     }
   }
 }
 
 void LoginUtilsImpl::Observe(int type,
                              const content::NotificationSource& source,
@@ skipping 27 matching lines @@
 bool LoginUtils::IsWhitelisted(const std::string& username) {
   CrosSettings* cros_settings = CrosSettings::Get();
   bool allow_new_user = false;
   cros_settings->GetBoolean(kAccountsPrefAllowNewUser, &allow_new_user);
   if (allow_new_user)
     return true;
   return cros_settings->FindEmailInList(kAccountsPrefUsers, username);
 }
 
 }  // namespace chromeos