Host-side third party token validation

remoting/protocol/third_party_host_authenticator.h

Index: remoting/protocol/third_party_host_authenticator.h
diff --git a/remoting/protocol/third_party_host_authenticator.h b/remoting/protocol/third_party_host_authenticator.h
index b72ac054b13d37af1a391ba89cb23078ec32a312..ba0c6568f6d7a5d72e51b93dfc5af92ab945083b 100644
--- a/remoting/protocol/third_party_host_authenticator.h
+++ b/remoting/protocol/third_party_host_authenticator.h
@@ -54,6 +54,20 @@ class ThirdPartyHostAuthenticator : public ThirdPartyAuthenticatorBase {
     virtual const std::string& token_scope() const = 0;
   };
 
+  class TokenValidatorFactory {
+   public:
+    virtual ~TokenValidatorFactory() {}
+
+   // Creates a TokenValidator. |local_jid| and |remote_jid| are used to create
+    // a token scope that is restricted to the current connection's JIDs.
+    virtual scoped_ptr<TokenValidator> CreateTokenValidator(
+        const GURL& token_url,
+        const GURL& token_validation_url,
+        scoped_refptr<RsaKeyPair> key_pair,

[Sergey Ulanov, 2013/03/28 22:34:54]

These three parameters are specific to url-based token validator, so they
shouldn't be part of the generic interface. Can you move them to
UrlFetcherTokenValidatorFactory constructor?

[rmsousa, 2013/03/28 23:12:49]

These can change during the lifetime of the host (policy/config update), so they
can't be owned by a global TokenValidatorFactory. If instead of having a global
one we create a TokenValidatorFactory when we create Me2MeAuthenticatorFactory
(see the previous patchset), we can't pass a naked reference to the factory to
NegotiatingAuthenticator, because there's no ownership between
Me2MeAuthenticatorFactory and NegotiatingAuthenticator, so we end up having to
refcount the TokenValidatorFactory.

Again this gets much simpelr if we declare that the host's protocol choice is
final - Me2MeAuthenticatorFactory can just give the NegotiatingAuthenticator a
TokenValidator instance.

[Sergey Ulanov, 2013/03/28 23:39:39]

For some policies we restart the host when they change. I think we should do it
for these authentication policies too. This is necessary because you need to
make sure that policies apply to all connected clients. If a client is connected
while token_url changes then it means that the client needs to be
reauthenticated using new URL. I don't think we want to support reauthentication
mid-session - it's easier to restart the host in that case.

[rmsousa, 2013/04/04 22:13:43]

Done.

+        const std::string& local_jid,
+        const std::string& remote_jid) = 0;
+  };
+
   // Creates a third-party host authenticator. |local_cert| and |key_pair| are
   // used by the underlying V2Authenticator to create the SSL channels.
   // |token_validator| contains the token parameters to be sent to the client