Wire up the identity API for enterprise Kiosk Apps.

chrome/browser/extensions/api/identity/identity_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/identity/identity_api.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "chrome/browser/app_mode/app_mode_utils.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/extensions/extension_function_dispatcher.h"
 #include "chrome/browser/extensions/extension_service.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/signin_manager.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/signin/token_service.h"
 #include "chrome/browser/signin/token_service_factory.h"
 #include "chrome/common/extensions/api/identity.h"
 #include "chrome/common/extensions/api/identity/oauth2_manifest_handler.h"
 #include "chrome/common/extensions/extension.h"
 #include "chrome/common/extensions/extension_manifest_constants.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/common/url_constants.h"
 #include "google_apis/gaia/gaia_constants.h"
 #include "googleurl/src/gurl.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/login/user_manager.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #endif
 
 namespace extensions {
 
 namespace identity_constants {
 const char kInvalidClientId[] = "Invalid OAuth2 Client ID.";
 const char kInvalidScopes[] = "Invalid OAuth2 scopes.";
 const char kAuthFailure[] = "OAuth2 request failed: ";
 const char kNoGrant[] = "OAuth2 not granted or revoked.";
 const char kUserRejected[] = "The user did not approve access.";
@@ skipping 46 matching lines @@
   }
 
   if (oauth2_info.scopes.size() == 0) {
     error_ = identity_constants::kInvalidScopes;
     return false;
   }
 
   // Balanced in CompleteFunctionWithResult|CompleteFunctionWithError
   AddRef();
 
+#if defined(OS_CHROMEOS)
+  if (chromeos::UserManager::Get()->IsLoggedInAsKioskApp() &&
+      g_browser_process->browser_policy_connector()->IsEnterpriseManaged()) {
+    OAuth2TokenService::ScopeSet scope_set(oauth2_info.scopes.begin(),
+                                           oauth2_info.scopes.end());
+    device_token_request_ =
+        chromeos::DeviceOAuth2TokenServiceFactory::Get()->StartRequest(

[Michael Courage, 2013/06/20 00:19:42]

The OAuth2TokenService will request tokens using Chrome's client ID. Is that
expected/desired for kiosk apps? It's not normal for Identity API callers.

Note also that the check on line 93 and also the OAuth2ManifestHandler will
demand a "client_id" key, that is going to be ignored.

[Mattias Nissler (ping if slow), 2013/06/21 02:44:46]

I'm aware of that. The any-api refresh token we have actually only allows us to
fetch tokens for Chrome's client ID. That's certainly suboptimal, but we don't
have a better alternative to the best of my knowledge. I left a TODO in the code
now to address this.  
 
I think that's fine, given that we'd rather use the correct client ID
eventually.

+            scope_set, this);
+    return true;
+  }
+#endif
+
   if (!HasLoginToken()) {
     if (!should_prompt_for_signin_) {
       error_ = identity_constants::kUserNotSignedIn;
       Release();
       return false;
     }
     // Display a login prompt.
     StartSigninFlow();
   } else {
     TokenService* token_service = TokenServiceFactory::GetForProfile(profile());
@@ skipping 235 matching lines @@
     IdentityTokenCacheValue token_value(
         access_token, base::TimeDelta::FromSeconds(time_to_live));
     IdentityAPI::GetFactoryInstance()->GetForProfile(profile())
         ->SetCachedToken(GetExtension()->id(), oauth2_info.scopes, token_value);
   }
 
   CompleteMintTokenFlow();
   CompleteFunctionWithResult(access_token);
 }
 
+void IdentityGetAuthTokenFunction::OnGetTokenSuccess(
+    const OAuth2TokenService::Request* request,
+    const std::string& access_token,
+    const base::Time& expiration_time) {
+  DCHECK_EQ(device_token_request_.get(), request);
+  device_token_request_.reset();
+
+  const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(GetExtension());
+  IdentityTokenCacheValue token(access_token,
+                                expiration_time - base::Time::Now());
+  IdentityAPI::GetFactoryInstance()->GetForProfile(profile())->SetCachedToken(

[Michael Courage, 2013/06/20 00:19:42]

The Kiosk flow in RunImpl diverges before reading from the cache, so the tokens
stored here will never be read.

Similarly, calls to chrome.identity.removeCachedAuthToken (see
IdentityRemoveCachedAuthTokenFunction) will not be propagated to
OAuth2TokenService::InvalidateToken, so there will be no way to flush a bad
token other than restarting.

[Mattias Nissler (ping if slow), 2013/06/21 02:44:46]

Moved token minting to the right place.

+      GetExtension()->id(), oauth2_info.scopes, token);
+
+  CompleteFunctionWithResult(access_token);
+}
+
+void IdentityGetAuthTokenFunction::OnGetTokenFailure(
+    const OAuth2TokenService::Request* request,
+    const GoogleServiceAuthError& error) {
+  DCHECK_EQ(device_token_request_.get(), request);
+  device_token_request_.reset();
+
+  CompleteFunctionWithError(error.ToString());

[Michael Courage, 2013/06/20 00:19:42]

There's no way to get all error messages in sync given the different token
fetching infrastructure, but 
OnGaiaFlowFailure prefixes these error strings with
identity_constants::kAuthFailure.

[Mattias Nissler (ping if slow), 2013/06/21 02:44:46]

Done.

+}
+
 void IdentityGetAuthTokenFunction::StartGaiaRequest(
     OAuth2MintTokenFlow::Mode mode) {
   mint_token_flow_.reset(CreateMintTokenFlow(mode));
   mint_token_flow_->Start();
 }
 
 void IdentityGetAuthTokenFunction::ShowLoginPopup() {
   signin_flow_.reset(new IdentitySigninFlow(this, profile()));
   signin_flow_->Start();
 }
@@ skipping 323 matching lines @@
     const IdentityAPI::TokenCacheKey& rhs) const {
   if (extension_id < rhs.extension_id)
     return true;
   else if (rhs.extension_id < extension_id)
     return false;
 
   return scopes < rhs.scopes;
 }
 
 }  // namespace extensions