Add ManagedUserTokenFetcher to fetch scoped-down tokens.

chrome/browser/managed_mode/managed_user_token_fetcher.h

Index: chrome/browser/managed_mode/managed_user_token_fetcher.h
diff --git a/chrome/browser/managed_mode/managed_user_token_fetcher.h b/chrome/browser/managed_mode/managed_user_token_fetcher.h
new file mode 100644
index 0000000000000000000000000000000000000000..aaac2b9910b6a564bb490a21d555f908c7c47547
--- /dev/null
+++ b/chrome/browser/managed_mode/managed_user_token_fetcher.h
@@ -0,0 +1,47 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_MANAGED_MODE_MANAGED_USER_TOKEN_FETCHER_H_
+#define CHROME_BROWSER_MANAGED_MODE_MANAGED_USER_TOKEN_FETCHER_H_
+
+#include <string>
+
+#include "base/callback_forward.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/string16.h"
+
+class GoogleServiceAuthError;
+class OAuth2TokenService;
+
+namespace net {
+class URLRequestContextGetter;
+}
+
+// This class fetches an OAuth2 token that is tied to a managed user ID and
+// downscoped to a special scope for Chrome Sync for managed users.
+// Fetching the token consists of the following steps:
+//   1. Get an access token from OAuth2TokenService (either cached or fetched)

[Andrew T Wilson (Slow), 2013/05/28 13:10:08]

"Get an access token for the custodian from OAuth2TokenService..."

[Bernhard Bauer, 2013/05/29 11:41:45]

Done.

+//   2. Call the IssueToken API to request the downscoped token; the response

[Andrew T Wilson (Slow), 2013/05/28 13:10:08]

"Call the IssueToken API to mint a scoped authorization code for a managed user
from the custodian's access token."

[Bernhard Bauer, 2013/05/29 11:41:45]

Done, with the additional explanation that the authorization code is for a
refresh token.

+//      is an authentication code
+//   3. Exchange the authentication code for a refresh token and an access

[Andrew T Wilson (Slow), 2013/05/28 13:10:08]

"Exchange the authentication code for a refresh token for the managed user and
return it to the caller. The refresh token can only be used to mint
sync_playpen-scoped tokens"

(I think this is correct - we don't care about the access token, right? Looks
like we just drop it on the floor)

[Bernhard Bauer, 2013/05/29 11:41:45]

Done. I didn't use the term "playpen" though, because that's not used in the
client code (except for the value of the scope itself, which is a constant
defined server-side).

+//      token.
+class ManagedUserTokenFetcher {

[Andrew T Wilson (Slow), 2013/05/28 13:10:08]

Might want to change the name to make it clear that this code mints a new
*refresh* token. I took the name "ManagedUserTokenFetcher" to mean "fetches an
access token", which befuddled me since we already have lots of classes that do
that :).

[Bernhard Bauer, 2013/05/29 11:41:45]

OK, done.

+ public:
+  typedef base::Callback<void(const GoogleServiceAuthError& /* error */,
+                              const std::string& /* token */)> TokenCallback;

[Andrew T Wilson (Slow), 2013/05/28 13:10:08]

token->refresh_token

[Bernhard Bauer, 2013/05/29 11:41:45]

Done.

+
+  static scoped_ptr<ManagedUserTokenFetcher> Create(
+      OAuth2TokenService* oauth2_token_service,
+      net::URLRequestContextGetter* context);
+
+  virtual ~ManagedUserTokenFetcher();
+
+  virtual void Start(const std::string& managed_user_id,
+                     const string16& name,
+                     const std::string& device_name,
+                     const TokenCallback& callback) = 0;
+};
+
+#endif  // CHROME_BROWSER_MANAGED_MODE_MANAGED_USER_TOKEN_FETCHER_H_