OAuth2 sign-in flow for ChromeOS

chrome/browser/chromeos/login/login_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "ash/ash_switches.h"
@@ skipping 12 matching lines @@
 #include "base/stringprintf.h"
 #include "base/synchronization/lock.h"
 #include "base/task_runner_util.h"
 #include "base/threading/worker_pool.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "cc/switches.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_shutdown.h"
 #include "chrome/browser/chromeos/boot_times_loader.h"
-#include "chrome/browser/chromeos/cros/cert_library.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/input_method/input_method_configuration.h"
 #include "chrome/browser/chromeos/input_method/input_method_manager.h"
 #include "chrome/browser/chromeos/input_method/input_method_util.h"
 #include "chrome/browser/chromeos/login/language_switch_menu.h"
 #include "chrome/browser/chromeos/login/login_display_host.h"
-#include "chrome/browser/chromeos/login/oauth1_token_fetcher.h"
-#include "chrome/browser/chromeos/login/oauth_login_verifier.h"
+#include "chrome/browser/chromeos/login/oauth_login_manager.h"
 #include "chrome/browser/chromeos/login/parallel_authenticator.h"
-#include "chrome/browser/chromeos/login/policy_oauth_fetcher.h"
 #include "chrome/browser/chromeos/login/profile_auth_data.h"
 #include "chrome/browser/chromeos/login/screen_locker.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/chromeos/settings/cros_settings_names.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/first_run/first_run.h"
 #include "chrome/browser/google/google_util_chromeos.h"
 #include "chrome/browser/net/chrome_url_request_context.h"
 #include "chrome/browser/net/preconnect.h"
@@ skipping 19 matching lines @@
 #include "chrome/common/pref_names.h"
 #include "chrome/common/url_constants.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/common/content_switches.h"
 #include "google_apis/gaia/gaia_auth_consumer.h"
+#include "google_apis/gaia/gaia_constants.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "googleurl/src/gurl.h"
 #include "media/base/media_switches.h"
 #include "net/base/network_change_notifier.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "ui/base/ui_base_switches.h"
 #include "ui/compositor/compositor_switches.h"
 #include "ui/gfx/switches.h"
 #include "ui/gl/gl_switches.h"
@@ skipping 77 matching lines @@
   }
 
   int pid_;
   std::string command_line_;
   PrefService* local_state_;
   base::OneShotTimer<JobRestartRequest> timer_;
 };
 
 class LoginUtilsImpl
     : public LoginUtils,
-      public OAuth1TokenFetcher::Delegate,
-      public OAuthLoginVerifier::Delegate,
+      public OAuthLoginManager::Delegate,
       public net::NetworkChangeNotifier::ConnectionTypeObserver,
       public content::NotificationObserver,
       public base::SupportsWeakPtr<LoginUtilsImpl> {
  public:
   LoginUtilsImpl()
-      : pending_requests_(false),
-        using_oauth_(false),
+      : using_oauth_(false),
+        force_oauth2_(CommandLine::ForCurrentProcess()->HasSwitch(
+            ::switches::kForceOAuth2)),
         has_web_auth_cookies_(false),
+        login_manager_(OAuthLoginManager::Create(this)),
         delegate_(NULL),
         job_restart_request_(NULL),
         should_restore_auth_session_(false),
         url_request_context_getter_(NULL) {
     net::NetworkChangeNotifier::AddConnectionTypeObserver(this);
     // During tests, the browser_process may not be initialized yet causing
     // this to fail.
     if (g_browser_process) {
       registrar_.Add(
           this,
           chrome::NOTIFICATION_PROFILE_URL_REQUEST_CONTEXT_GETTER_INITIALIZED,
           content::Source<Profile>(ProfileManager::GetDefaultProfile()));
     }
   }
 
   virtual ~LoginUtilsImpl() {
     net::NetworkChangeNotifier::RemoveConnectionTypeObserver(this);
   }
 
   // LoginUtils implementation:
   virtual void DoBrowserLaunch(Profile* profile,
                                LoginDisplayHost* login_host) OVERRIDE;
   virtual void PrepareProfile(
       const std::string& username,
       const std::string& display_email,
       const std::string& password,
-      bool pending_requests,
       bool using_oauth,
       bool has_cookies,
       LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void DelegateDeleted(LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void CompleteOffTheRecordLogin(const GURL& start_url) OVERRIDE;
   virtual void SetFirstLoginPrefs(PrefService* prefs) OVERRIDE;
   virtual scoped_refptr<Authenticator> CreateAuthenticator(
       LoginStatusConsumer* consumer) OVERRIDE;
   virtual void PrewarmAuthentication() OVERRIDE;
   virtual void RestoreAuthenticationSession(Profile* profile) OVERRIDE;
   virtual void StartTokenServices(Profile* user_profile) OVERRIDE;
-  virtual void StartSignedInServices(
-      Profile* profile,
-      const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void StopBackgroundFetchers() OVERRIDE;
   virtual void InitRlzDelayed(Profile* user_profile) OVERRIDE;
   virtual void CompleteProfileCreate(Profile* user_profile) OVERRIDE;
 
-  // OAuth1TokenFetcher::Delegate overrides.
-  void OnOAuth1AccessTokenAvailable(const std::string& token,
-                                    const std::string& secret) OVERRIDE;
-  void OnOAuth1AccessTokenFetchFailed() OVERRIDE;
-
-  // OAuthLoginVerifier::Delegate overrides.
-  virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
-                                            const std::string& sid,
-                                            const std::string& lsid,
-                                            const std::string& auth) OVERRIDE;
-  virtual void OnOAuthVerificationFailed(const std::string& user_name) OVERRIDE;
+  // OAuthLoginManager::Delegate overrides.
+  virtual void OnCompletedAuthentication(Profile* user_profile) OVERRIDE;
+  virtual void OnFoundStoredTokens() OVERRIDE;
 
   // net::NetworkChangeNotifier::ConnectionTypeObserver overrides.
   virtual void OnConnectionTypeChanged(
       net::NetworkChangeNotifier::ConnectionType type) OVERRIDE;
 
   // content::NotificationObserver overrides.
   virtual void Observe(int type,
                        const content::NotificationSource& source,
                        const content::NotificationDetails& details) OVERRIDE;
 
  protected:
   virtual std::string GetOffTheRecordCommandLine(
       const GURL& start_url,
       const CommandLine& base_command_line,
       CommandLine *command_line);
 
  private:
   // Restarts OAuth session authentication check.
   void KickStartAuthentication(Profile* profile);
 
-  // Reads OAuth1 token from user profile's prefs.
-  bool ReadOAuth1AccessToken(Profile* user_profile,
-                             std::string* token,
-                             std::string* secret);
-
-  // Stores OAuth1 token + secret in profile's prefs.
-  void StoreOAuth1AccessToken(Profile* user_profile,
-                              const std::string& token,
-                              const std::string& secret);
-
-  // Verifies OAuth1 token by doing OAuthLogin and fetching credentials.
-  void VerifyOAuth1AccessToken(Profile* user_profile,
-                               const std::string& token,
-                               const std::string& secret);
-
-  // Fetch all secondary (OAuth2) tokens given OAuth1 access |token| and
-  // |secret|.
-  void FetchSecondaryTokens(Profile* offrecord_profile,
-                            const std::string& token,
-                            const std::string& secret);
-
-  // Fetch user credentials (sid/lsid) given OAuth1 access |token| and |secret|.
-  void FetchCredentials(Profile* user_profile,
-                        const std::string& token,
-                        const std::string& secret);
-
-  // Fetch enterprise policy OAuth2 given OAuth1 access |token| and |secret|.
-  void FetchPolicyToken(Profile* offrecord_profile,
-                        const std::string& token,
-                        const std::string& secret);
-
   // Check user's profile for kApplicationLocale setting.
   void RespectLocalePreference(Profile* pref);
 
   // Initializes basic preferences for newly created profile.
   void InitProfilePreferences(Profile* user_profile);
 
   // Callback for asynchronous profile creation.
   void OnProfileCreated(Profile* profile,
                         Profile::CreateStatus status);
 
   // Finalized profile preparation.
   void FinalizePrepareProfile(Profile* user_profile);
 
-  // Restores GAIA auth cookies for the created profile.
-  void RestoreAuthCookies(Profile* user_profile);
+  // Restores GAIA auth cookies for the created user profile from OAuth2 token.
+  void RestoreAuthSession(Profile* user_profile,
+                          bool restore_from_auth_cookies);
+
+  // Removes deprecated OAuth1 token and secret form preference store.

[Joao da Silva, 2013/01/11 20:13:15]

*from

[zel, 2013/01/11 20:54:20]

That method is nuked actually.

+  void RemoveOAuth1Tokens(Profile* user_profile);
 
   // Initializes RLZ. If |disabled| is true, RLZ pings are disabled.
   void InitRlz(Profile* user_profile, bool disabled);
 
+  // Starts signing related services. Initiates TokenService token retrieval.
+  void StartSignedInServices(Profile* profile);
+
   std::string password_;
-  bool pending_requests_;
   bool using_oauth_;
+  bool force_oauth2_;
   // True if the authenrication profile's cookie jar should contain
   // authentication cookies from the authentication extension log in flow.
   bool has_web_auth_cookies_;
   // Has to be scoped_refptr, see comment for CreateAuthenticator(...).
   scoped_refptr<Authenticator> authenticator_;
-  scoped_ptr<PolicyOAuthFetcher> policy_oauth_fetcher_;
-  scoped_ptr<OAuth1TokenFetcher> oauth1_token_fetcher_;
-  scoped_ptr<OAuthLoginVerifier> oauth_login_verifier_;
+  scoped_ptr<OAuthLoginManager> login_manager_;
 
   // Delegate to be fired when the profile will be prepared.
   LoginUtils::Delegate* delegate_;
 
   // Used to restart Chrome to switch to the guest mode.
   JobRestartRequest* job_restart_request_;
 
   // True if should restore authentication session when notified about
   // online state change.
   bool should_restore_auth_session_;
@@ skipping 64 matching lines @@
   // browser before it is dereferenced by the login host.
   if (login_host)
     login_host->OnSessionStart();
   UserManager::Get()->SessionStarted();
 }
 
 void LoginUtilsImpl::PrepareProfile(
     const std::string& username,
     const std::string& display_email,
     const std::string& password,
-    bool pending_requests,
     bool using_oauth,
     bool has_cookies,
     LoginUtils::Delegate* delegate) {
   BootTimesLoader* btl = BootTimesLoader::Get();
 
   VLOG(1) << "Completing login for " << username;
 
   btl->AddLoginTimeMarker("StartSession-Start", false);
   DBusThreadManager::Get()->GetSessionManagerClient()->StartSession(
       username);
   btl->AddLoginTimeMarker("StartSession-End", false);
 
   btl->AddLoginTimeMarker("UserLoggedIn-Start", false);
   UserManager* user_manager = UserManager::Get();
   user_manager->UserLoggedIn(username, false);
   btl->AddLoginTimeMarker("UserLoggedIn-End", false);
 
   // Switch log file as soon as possible.
   if (base::chromeos::IsRunningOnChromeOS())
     logging::RedirectChromeLogging(*(CommandLine::ForCurrentProcess()));
 
   // Update user's displayed email.
   if (!display_email.empty())
     user_manager->SaveUserDisplayEmail(username, display_email);
 
   password_ = password;
 
-  pending_requests_ = pending_requests;
   using_oauth_ = using_oauth;
   has_web_auth_cookies_ = has_cookies;
   delegate_ = delegate;
 
   policy::BrowserPolicyConnector* connector =
       g_browser_process->browser_policy_connector();
 
   // If this is an enterprise device and the user belongs to the enterprise
   // domain, then wait for a policy fetch before logging the user in. This
   // will delay Profile creation until the policy is fetched, so that features
@@ skipping 22 matching lines @@
     // requires the DeviceManagement token. Try to fetch it now.
     // TODO(atwilson): This is somewhat racy, as we are trying to fetch a
     // DMToken in parallel with loading the cached policy blob (there could
     // already be a DMToken in the cached policy). Once the legacy policy
     // framework is removed, this code can register a
     // CloudPolicyService::Observer to check whether the CloudPolicyClient was
     // able to register itself using the cached policy data, and then only
     // create a PolicyOAuthFetcher if the client is still unregistered
     // (http://crbug.com/143187).
     VLOG(1) << "Profile creation requires policy token, fetching now";
-    policy_oauth_fetcher_.reset(
-        new PolicyOAuthFetcher(authenticator_->authentication_profile()));
-    policy_oauth_fetcher_->Start();
+    login_manager_->RestorePolicyTokens(
+        authenticator_->authentication_profile()->GetRequestContext());
   }
 }
 
 void LoginUtilsImpl::DelegateDeleted(LoginUtils::Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
 void LoginUtilsImpl::InitProfilePreferences(Profile* user_profile) {
   if (UserManager::Get()->IsCurrentUserNew())
@@ skipping 17 matching lines @@
       GetNetworkConfigurationUpdater();
   if (network_configuration_updater)
     network_configuration_updater->OnUserPolicyInitialized();
   RespectLocalePreference(user_profile);
 }
 
 void LoginUtilsImpl::OnProfileCreated(
     Profile* user_profile,
     Profile::CreateStatus status) {
   CHECK(user_profile);
-
   if (delegate_)
     delegate_->OnProfileCreated(user_profile);
 
   switch (status) {
     case Profile::CREATE_STATUS_INITIALIZED:
       break;
     case Profile::CREATE_STATUS_CREATED: {
       InitProfilePreferences(user_profile);
       return;
     }
     case Profile::CREATE_STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
-    // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
-    // used to fetch policies before Profile creation.
-    if (policy_oauth_fetcher_.get() &&
-        !policy_oauth_fetcher_->oauth1_token().empty()) {
-      VLOG(1) << "Resuming profile creation after fetching policy token";
-      StoreOAuth1AccessToken(user_profile,
-                             policy_oauth_fetcher_->oauth1_token(),
-                             policy_oauth_fetcher_->oauth1_secret());
-    }
-
     // Transfer proxy authentication cache, cookies (optionally) and server
     // bound certs from the profile that was used for authentication.  This
     // profile contains cookies that auth extension should have already put in
     // place that will ensure that the newly created session is authenticated
     // for the websites that work with the used authentication schema.
     ProfileAuthData::Transfer(authenticator_->authentication_profile(),
                               user_profile,
                               has_web_auth_cookies_,  // transfer_cookies
                               base::Bind(
                                   &LoginUtilsImpl::CompleteProfileCreate,
                                   AsWeakPtr(),
                                   user_profile));
     return;
   }
 
   FinalizePrepareProfile(user_profile);
 }
 
-void LoginUtilsImpl::RestoreAuthCookies(Profile* user_profile) {
-  std::string oauth1_token;
-  std::string oauth1_secret;
-  if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret) ||
-      !has_web_auth_cookies_) {
-    // Verify OAuth access token when we find it in the profile and always if
-    // if we don't have cookies.
-    // TODO(xiyuan): Change back to use authenticator to verify token when
-    // we support Gaia in lock screen.
-    VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
-  } else {
-    // If we don't have it, fetch OAuth1 access token.
-    // Once we get that, we will kick off individual requests for OAuth2
-    // tokens for all our services.
-    // Use off-the-record profile that was used for this step. It should
-    // already contain all needed cookies that will let us skip GAIA's user
-    // authentication UI.
-    //
-    // TODO(rickcam) We should use an isolated App here.
-    oauth1_token_fetcher_.reset(
-        new OAuth1TokenFetcher(this,
-                               authenticator_->authentication_profile()));
-    oauth1_token_fetcher_->Start();
-  }
+void LoginUtilsImpl::CompleteProfileCreate(Profile* user_profile) {
+  RestoreAuthSession(user_profile, has_web_auth_cookies_);
+  FinalizePrepareProfile(user_profile);
 }
 
-void LoginUtilsImpl::CompleteProfileCreate(Profile* user_profile) {
-  RestoreAuthCookies(user_profile);
-  FinalizePrepareProfile(user_profile);
+void LoginUtilsImpl::RestoreAuthSession(Profile* user_profile,
+                                        bool restore_from_auth_cookies) {
+  DCHECK(authenticator_ || !restore_from_auth_cookies);
+  // Remove legacy OAuth1 token if we have one. If it's valid, we should already
+  // have OAuth2 refresh token in TokenService that could be used to retrieve
+  // all other tokens and credentials.
+  login_manager_->RestoreSession(
+      user_profile,
+      authenticator_ ?
+          authenticator_->authentication_profile()->GetRequestContext() :
+          NULL,
+      restore_from_auth_cookies);
 }
 
 void LoginUtilsImpl::FinalizePrepareProfile(Profile* user_profile) {
   BootTimesLoader* btl = BootTimesLoader::Get();
   // Own TPM device if, for any reason, it has not been done in EULA
   // wizard screen.
   CryptohomeLibrary* cryptohome = CrosLibrary::Get()->GetCryptohomeLibrary();
   btl->AddLoginTimeMarker("TPMOwn-Start", false);
   if (cryptohome->TpmIsEnabled() && !cryptohome->TpmIsBeingOwned()) {
     if (cryptohome->TpmIsOwned()) {
@@ skipping 60 matching lines @@
   // recorded.
   RLZTracker::InitRlzFromProfileDelayed(
       user_profile, UserManager::Get()->IsCurrentUserNew(),
       ping_delay < 0, base::TimeDelta::FromMilliseconds(abs(ping_delay)));
   if (delegate_)
     delegate_->OnRlzInitialized(user_profile);
 #endif
 }
 
 void LoginUtilsImpl::StartTokenServices(Profile* user_profile) {
-  std::string oauth1_token;
-  std::string oauth1_secret;
-  if (!ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
-    return;
-
-  FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(),
-                       oauth1_token, oauth1_secret);
+  RestoreAuthSession(user_profile, false);
 }
 
-void LoginUtilsImpl::StartSignedInServices(
-    Profile* user_profile,
-    const GaiaAuthConsumer::ClientLoginResult& credentials) {
+void LoginUtilsImpl::StartSignedInServices(Profile* user_profile) {
   // Fetch/Create the SigninManager - this will cause the TokenService to load
   // tokens for the currently signed-in user if the SigninManager hasn't already
   // been initialized.
   SigninManager* signin = SigninManagerFactory::GetForProfile(user_profile);
   DCHECK(signin);
   // Make sure SigninManager is connected to our current user (this should
   // happen automatically because we set kGoogleServicesUsername in
   // OnProfileCreated()).
   DCHECK_EQ(UserManager::Get()->GetLoggedInUser()->display_email(),
             signin->GetAuthenticatedUsername());
@@ skipping 11 matching lines @@
       GoogleServiceSigninSuccessDetails details(
           signin->GetAuthenticatedUsername(),
           password_);
       content::NotificationService::current()->Notify(
           chrome::NOTIFICATION_GOOGLE_SIGNIN_SUCCESSFUL,
           content::Source<Profile>(user_profile),
           content::Details<const GoogleServiceSigninSuccessDetails>(&details));
     }
   }
   password_.clear();
-  TokenService* token_service =
-      TokenServiceFactory::GetForProfile(user_profile);
-  token_service->UpdateCredentials(credentials);
-  if (token_service->AreCredentialsValid())
-    token_service->StartFetchingTokens();
 }
 
 void LoginUtilsImpl::RespectLocalePreference(Profile* profile) {
   DCHECK(profile != NULL);
   PrefService* prefs = profile->GetPrefs();
   DCHECK(prefs != NULL);
   if (g_browser_process == NULL)
     return;
 
   std::string pref_locale = prefs->GetString(prefs::kApplicationLocale);
@@ skipping 278 matching lines @@
 void LoginUtilsImpl::RestoreAuthenticationSession(Profile* user_profile) {
   // We don't need to restore session for demo/guest users.
   if (!UserManager::Get()->IsUserLoggedIn() ||
       UserManager::Get()->IsLoggedInAsGuest() ||
       UserManager::Get()->IsLoggedInAsDemoUser()) {
     return;
   }
 
   if (!net::NetworkChangeNotifier::IsOffline()) {
     should_restore_auth_session_ = false;
-    KickStartAuthentication(user_profile);
+    RestoreAuthSession(user_profile, false);
   } else {
     // Even if we're online we should wait till initial
     // OnConnectionTypeChanged() call. Otherwise starting fetchers too early may
     // end up cancelling all request when initial network connection type is
     // processed. See http://crbug.com/121643.
     should_restore_auth_session_ = true;
   }
 }
 
-void LoginUtilsImpl::KickStartAuthentication(Profile* user_profile) {
-  std::string oauth1_token;
-  std::string oauth1_secret;
-  if (ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
-    VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
+void LoginUtilsImpl::StopBackgroundFetchers() {
+  login_manager_.reset();
 }
 
-void LoginUtilsImpl::StopBackgroundFetchers() {
-  policy_oauth_fetcher_.reset();
-  oauth1_token_fetcher_.reset();
-  oauth_login_verifier_.reset();
+void LoginUtilsImpl::OnCompletedAuthentication(Profile* user_profile) {
+  StartSignedInServices(user_profile);
 }
 
-void LoginUtilsImpl::FetchSecondaryTokens(Profile* offrecord_profile,
-                                          const std::string& token,
-                                          const std::string& secret) {
-  FetchPolicyToken(offrecord_profile, token, secret);
-  // TODO(rickcam, zelidrag): Wire TokenService there when it becomes
-  // capable of handling OAuth1 tokens directly.
-}
-
-bool LoginUtilsImpl::ReadOAuth1AccessToken(Profile* user_profile,
-                                           std::string* token,
-                                           std::string* secret) {
-  // Skip reading oauth token if user does not have a valid status.
-  if (UserManager::Get()->IsUserLoggedIn() &&
-      UserManager::Get()->GetLoggedInUser()->oauth_token_status() !=
-      User::OAUTH_TOKEN_STATUS_VALID) {
-    return false;
-  }
-
-  PrefService* pref_service = user_profile->GetPrefs();
-  std::string encoded_token = pref_service->GetString(prefs::kOAuth1Token);
-  std::string encoded_secret = pref_service->GetString(prefs::kOAuth1Secret);
-  if (!encoded_token.length() || !encoded_secret.length())
-    return false;
-
-  std::string decoded_token =
-      CrosLibrary::Get()->GetCertLibrary()->DecryptToken(encoded_token);
-  std::string decoded_secret =
-      CrosLibrary::Get()->GetCertLibrary()->DecryptToken(encoded_secret);
-  if (!decoded_token.length() || !decoded_secret.length())
-    return false;
-
-  *token = decoded_token;
-  *secret = decoded_secret;
-  return true;
-}
-
-void LoginUtilsImpl::StoreOAuth1AccessToken(Profile* user_profile,
-                                            const std::string& token,
-                                            const std::string& secret) {
-  // First store OAuth1 token + service for the current user profile...
-  std::string encrypted_token =
-      CrosLibrary::Get()->GetCertLibrary()->EncryptToken(token);
-  std::string encrypted_secret =
-      CrosLibrary::Get()->GetCertLibrary()->EncryptToken(secret);
-  PrefService* pref_service = user_profile->GetPrefs();
-  User* user = UserManager::Get()->GetLoggedInUser();
-  if (!encrypted_token.empty() && !encrypted_secret.empty()) {
-    pref_service->SetString(prefs::kOAuth1Token, encrypted_token);
-    pref_service->SetString(prefs::kOAuth1Secret, encrypted_secret);
-
-    // ...then record the presence of valid OAuth token for this account in
-    // local state as well.
-    UserManager::Get()->SaveUserOAuthStatus(
-        user->email(), User::OAUTH_TOKEN_STATUS_VALID);
-  } else {
-    LOG(WARNING) << "Failed to get OAuth1 token/secret encrypted.";
-    // Set the OAuth status invalid so that the user will go through full
-    // GAIA login next time.
-    UserManager::Get()->SaveUserOAuthStatus(
-        user->email(), User::OAUTH_TOKEN_STATUS_INVALID);
-  }
-}
-
-void LoginUtilsImpl::VerifyOAuth1AccessToken(Profile* user_profile,
-                                             const std::string& token,
-                                             const std::string& secret) {
-  // Kick off verification of OAuth1 access token (via OAuthLogin), this should
-  // let us fetch credentials that will be used to initialize sync engine.
-  FetchCredentials(user_profile, token, secret);
-
-  FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), token, secret);
-}
-
-void LoginUtilsImpl::FetchCredentials(Profile* user_profile,
-                                      const std::string& token,
-                                      const std::string& secret) {
-  oauth_login_verifier_.reset(new OAuthLoginVerifier(
-      this, user_profile, token, secret,
-      UserManager::Get()->GetLoggedInUser()->email()));
-  oauth_login_verifier_->StartOAuthVerification();
-}
-
-
-void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
-                                      const std::string& token,
-                                      const std::string& secret) {
-  // Fetch dm service token now, if it hasn't been fetched yet.
-  if (!policy_oauth_fetcher_.get() || policy_oauth_fetcher_->failed()) {
-    // Get the default system profile to use with the policy fetching. If there
-    // is no |authenticator_| profile, manually load default system profile.
-    // Otherwise, just use |authenticator_|'s profile.
-    Profile* profile = NULL;
-    if (authenticator_)
-      profile = authenticator_->authentication_profile();
-
-    if (!profile) {
-      FilePath user_data_dir;
-      PathService::Get(chrome::DIR_USER_DATA, &user_data_dir);
-      ProfileManager* profile_manager = g_browser_process->profile_manager();
-      // Temporarily allow until fix: http://crosbug.com/30391.
-      base::ThreadRestrictions::ScopedAllowIO allow_io;
-      profile = profile_manager->GetProfile(user_data_dir)->
-          GetOffTheRecordProfile();
-    }
-
-    // Trigger oauth token fetch for user policy.
-    policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(profile, token, secret));
-    policy_oauth_fetcher_->Start();
-  }
-
-  // TODO(zelidrag): We should add initialization of other services somewhere
-  // here as well. This could be handled with TokenService class once it is
-  // ready to handle OAuth tokens.
-
-  // We don't need authenticator instance any more, reset it so that
+void LoginUtilsImpl::OnFoundStoredTokens() {
+  // We don't need authenticator instance any more since its cookie jar
+  // is not going to needed to mint OAuth tokens. Reset it so that
   // ScreenLocker would create a separate instance.
-  // TODO(nkostylev): There's a potential race if SL would be created before
-  // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
-void LoginUtilsImpl::OnOAuthVerificationFailed(const std::string& user_name) {
-  UserManager::Get()->SaveUserOAuthStatus(user_name,
-                                          User::OAUTH_TOKEN_STATUS_INVALID);
-}
-
-void LoginUtilsImpl::OnOAuth1AccessTokenAvailable(const std::string& token,
-                                                  const std::string& secret) {
-  Profile* user_profile = ProfileManager::GetDefaultProfile();
-  StoreOAuth1AccessToken(user_profile, token, secret);
-
-  // Verify OAuth1 token by doing OAuthLogin and fetching credentials. If we
-  // have just transfered auth cookies out of authenticated cookie jar, there
-  // is no need to try to mint them from OAuth token again.
-  VerifyOAuth1AccessToken(user_profile, token, secret);
-}
-
-void LoginUtilsImpl::OnOAuth1AccessTokenFetchFailed() {
-  // TODO(kochi): Show failure notification UI here?
-  LOG(ERROR) << "Failed to fetch OAuth1 access token.";
-  g_browser_process->browser_policy_connector()->RegisterForUserPolicy(
-      EmptyString());
-}
-
-void LoginUtilsImpl::OnOAuthVerificationSucceeded(
-    const std::string& user_name, const std::string& sid,
-    const std::string& lsid, const std::string& auth) {
-  // Kick off sync engine.
-  GaiaAuthConsumer::ClientLoginResult credentials(sid, lsid, auth,
-                                                  std::string());
-  StartSignedInServices(ProfileManager::GetDefaultProfile(), credentials);
-}
-
-
 void LoginUtilsImpl::OnConnectionTypeChanged(
     net::NetworkChangeNotifier::ConnectionType type) {
+  if (!login_manager_.get())
+    return;
+
   if (type != net::NetworkChangeNotifier::CONNECTION_NONE &&
       UserManager::Get()->IsUserLoggedIn()) {
-    if (oauth_login_verifier_.get() &&
-        !oauth_login_verifier_->is_done()) {
+    if (login_manager_->state() ==
+            OAuthLoginManager::SESSION_RESTORE_IN_PROGRESS) {
       // If we come online for the first time after successful offline login,
       // we need to kick off OAuth token verification process again.
-      oauth_login_verifier_->ContinueVerification();
+      login_manager_->ContinueSessionRestore();
     } else if (should_restore_auth_session_) {
       should_restore_auth_session_ = false;
       Profile* user_profile = ProfileManager::GetDefaultProfile();
-      KickStartAuthentication(user_profile);
+      RestoreAuthSession(user_profile, has_web_auth_cookies_);
     }
   }
 }
 
 void LoginUtilsImpl::Observe(int type,
                              const content::NotificationSource& source,
                              const content::NotificationDetails& details) {
   switch (type) {
     case chrome::NOTIFICATION_PROFILE_URL_REQUEST_CONTEXT_GETTER_INITIALIZED: {
       Profile* profile = content::Source<Profile>(source).ptr();
@@ skipping 23 matching lines @@
 bool LoginUtils::IsWhitelisted(const std::string& username) {
   CrosSettings* cros_settings = CrosSettings::Get();
   bool allow_new_user = false;
   cros_settings->GetBoolean(kAccountsPrefAllowNewUser, &allow_new_user);
   if (allow_new_user)
     return true;
   return cros_settings->FindEmailInList(kAccountsPrefUsers, username);
 }
 
 }  // namespace chromeos