Support service accounts in the chromoting host.

remoting/host/signaling_connector.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/signaling_connector.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
+#include "base/strings/string_util.h"
 #include "google_apis/google_api_keys.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "remoting/host/dns_blackhole_checker.h"
 
 namespace remoting {
 
 namespace {
 
 // The delay between reconnect attempts will increase exponentially up
 // to the maximum specified here.
 const int kMaxReconnectDelaySeconds = 10 * 60;
 
 // Time when we we try to update OAuth token before its expiration.
 const int kTokenUpdateTimeBeforeExpirySeconds = 60;
 
 }  // namespace
 
 SignalingConnector::OAuthCredentials::OAuthCredentials(
     const std::string& login_value,
-    const std::string& refresh_token_value)
+    const std::string& refresh_token_value,
+    bool is_service_account)
     : login(login_value),
-      refresh_token(refresh_token_value) {
+      refresh_token(refresh_token_value),
+      is_service_account(is_service_account) {
 }
 
 SignalingConnector::SignalingConnector(
     XmppSignalStrategy* signal_strategy,
     scoped_refptr<net::URLRequestContextGetter> url_request_context_getter,
     scoped_ptr<DnsBlackholeChecker> dns_blackhole_checker,
     const base::Closure& auth_failed_callback)
     : signal_strategy_(signal_strategy),
       url_request_context_getter_(url_request_context_getter),
       auth_failed_callback_(auth_failed_callback),
@@ skipping 179 matching lines @@
       signal_strategy_->Connect();
     }
   }
 }
 
 void SignalingConnector::RefreshOAuthToken() {
   DCHECK(CalledOnValidThread());
   LOG(INFO) << "Refreshing OAuth token.";
   DCHECK(!refreshing_oauth_token_);
 
+  // Service accounts use different API keys, as they use the client app flow.

[rmsousa, 2013/07/23 21:50:21]

Yuck. Longer explanation - Service Accounts use the client app flow
(redirect_uri = oob). Our current host client IDs only support the server flow
(redirect_uri = real server, in our case talk gadget). The dev console doesn't
allow the same client IDs to be used for both flows. So we need to add another
client ID, to be used specifically for service accounts.

On the upside, this means that once we fully move to appsv2 and service
accounts, we can get rid of the old oauth.js flow and client IDs entirely - the
client will use the new identity API flow, and the host will use the service
account flow.

+  google_apis::OAuth2Client oauth2_client;
+  if (oauth_credentials_->is_service_account) {
+    oauth2_client = google_apis::CLIENT_REMOTING_SERVICE_ACCOUNT;
+  } else {
+    oauth2_client = google_apis::CLIENT_REMOTING;
+  }
+
   gaia::OAuthClientInfo client_info = {
-      google_apis::GetOAuth2ClientID(google_apis::CLIENT_REMOTING),
-      google_apis::GetOAuth2ClientSecret(google_apis::CLIENT_REMOTING),
-      // Redirect URL is only used when getting tokens from auth code. It
-      // is not required when getting access tokens.
-      ""
+    google_apis::GetOAuth2ClientID(oauth2_client),
+    google_apis::GetOAuth2ClientSecret(oauth2_client),
+    // Redirect URL is only used when getting tokens from auth code. It
+    // is not required when getting access tokens.
+    ""
   };
 
   refreshing_oauth_token_ = true;
   std::vector<std::string> empty_scope_list;  // (Use scope from refresh token.)
   gaia_oauth_client_->RefreshToken(
       client_info, oauth_credentials_->refresh_token, empty_scope_list,
       1, this);
 }
 
 }  // namespace remoting