Multiple account support in chrome.identity.getAuthToken

chrome/browser/extensions/api/identity/identity_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/identity/identity_api.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 151 matching lines @@
 const IdentityTokenCacheValue& IdentityAPI::GetCachedToken(
     const ExtensionTokenKey& key) {
   return token_cache_[key];
 }
 
 const IdentityAPI::CachedTokens& IdentityAPI::GetAllCachedTokens() {
   return token_cache_;
 }
 
 std::vector<std::string> IdentityAPI::GetAccounts() const {
+  const std::string primary_account_id = GetPrimaryAccountId(browser_context_);
   const std::vector<AccountIds> ids = account_tracker_.GetAccounts();
   std::vector<std::string> gaia_ids;
 
   if (switches::IsExtensionsMultiAccount()) {
     for (std::vector<AccountIds>::const_iterator it = ids.begin();
          it != ids.end();
          ++it) {
       gaia_ids.push_back(it->gaia);
     }
   } else if (ids.size() >= 1) {
     gaia_ids.push_back(ids[0].gaia);
   }
 
   return gaia_ids;
 }
 
+std::string IdentityAPI::FindAccountKeyByGaiaId(const std::string& gaia_id) {
+  return account_tracker_.FindAccountKeyByGaiaId(gaia_id);
+}
+
 void IdentityAPI::ReportAuthError(const GoogleServiceAuthError& error) {
   account_tracker_.ReportAuthError(GetPrimaryAccountId(browser_context_),
                                    error);
 }
 
 GoogleServiceAuthError IdentityAPI::GetAuthStatusForTest() const {
   return account_tracker_.GetAuthStatus();
 }
 
 void IdentityAPI::Shutdown() {
@@ skipping 112 matching lines @@
     return false;
   }
 
   if (oauth2_info.scopes.size() == 0) {
     error_ = identity_constants::kInvalidScopes;
     return false;
   }
 
   std::set<std::string> scopes(oauth2_info.scopes.begin(),
                                oauth2_info.scopes.end());
-  token_key_.reset(new ExtensionTokenKey(
-      GetExtension()->id(), GetPrimaryAccountId(GetProfile()), scopes));
+
+  std::string account_key = GetPrimaryAccountId(GetProfile());
+
+  if (params->details->account.get()) {
+    std::string detail_key =
+        extensions::IdentityAPI::GetFactoryInstance()
+            ->Get(GetProfile())
+            ->FindAccountKeyByGaiaId(params->details->account->id);
+
+    if (detail_key != account_key) {
+      if (detail_key.empty() || !switches::IsExtensionsMultiAccount()) {
+        // TODO(courage): should this be a different error?
+        error_ = identity_constants::kUserNotSignedIn;
+        return false;
+      }
+
+      account_key = detail_key;
+    }
+  }
+
+  token_key_.reset(
+      new ExtensionTokenKey(GetExtension()->id(), account_key, scopes));
 
   // From here on out, results must be returned asynchronously.
   StartAsyncRun();
 
 #if defined(OS_CHROMEOS)
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   if (chromeos::UserManager::Get()->IsLoggedInAsKioskApp() &&
       connector->IsEnterpriseManaged()) {
     StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
@@ skipping 313 matching lines @@
 void IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest() {
   ProfileOAuth2TokenService* service =
       ProfileOAuth2TokenServiceFactory::GetForProfile(GetProfile());
   const std::string primary_account_id = GetPrimaryAccountId(GetProfile());
 #if defined(OS_CHROMEOS)
   if (chrome::IsRunningInForcedAppMode()) {
     std::string app_client_id;
     std::string app_client_secret;
     if (chromeos::UserManager::Get()->GetAppModeChromeClientOAuthInfo(
            &app_client_id, &app_client_secret)) {
+      // TODO(courage): figure out what account should be here

[fgorski, 2014/06/03 23:46:40]

I'd check with bartfab, but based on my exchange with him re: gcm services, it
should be whatever comes from identity provider. (as in the device case it would
use robot account) -> qualified guess

[Michael Courage, 2014/06/04 23:37:38]

Right thing to do here is use the account established in RunAsync. Right now it
does no kiosk specific filtering, and I don't think it needs to.

       login_token_request_ =
           service->StartRequestForClient(primary_account_id,
                                          app_client_id,
                                          app_client_secret,
                                          OAuth2TokenService::ScopeSet(),
                                          this);
       return;
     }
   }
 #endif
   login_token_request_ = service->StartRequest(
-      primary_account_id, OAuth2TokenService::ScopeSet(), this);
+      token_key_->account_id, OAuth2TokenService::ScopeSet(), this);
 }
 
 void IdentityGetAuthTokenFunction::StartGaiaRequest(
     const std::string& login_access_token) {
   DCHECK(!login_access_token.empty());
   mint_token_flow_.reset(CreateMintTokenFlow(login_access_token));
   mint_token_flow_->Start();
 }
 
 void IdentityGetAuthTokenFunction::ShowLoginPopup() {
   signin_flow_.reset(new IdentitySigninFlow(this, GetProfile()));
   signin_flow_->Start();
 }
 
 void IdentityGetAuthTokenFunction::ShowOAuthApprovalDialog(
     const IssueAdviceInfo& issue_advice) {
   const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(GetExtension());
   const std::string locale = g_browser_process->local_state()->GetString(
       prefs::kApplicationLocale);
 
-  gaia_web_auth_flow_.reset(new GaiaWebAuthFlow(
-      this, GetProfile(), GetExtension()->id(), oauth2_info, locale));
+  gaia_web_auth_flow_.reset(new GaiaWebAuthFlow(this,
+                                                GetProfile(),
+                                                token_key_->account_id,
+                                                GetExtension()->id(),
+                                                oauth2_info,
+                                                locale));
   gaia_web_auth_flow_->Start();
 }
 
 OAuth2MintTokenFlow* IdentityGetAuthTokenFunction::CreateMintTokenFlow(
     const std::string& login_access_token) {
   const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(GetExtension());
 
   OAuth2MintTokenFlow* mint_token_flow = new OAuth2MintTokenFlow(
       GetProfile()->GetRequestContext(),
       this,
       OAuth2MintTokenFlow::Parameters(login_access_token,
                                       GetExtension()->id(),
                                       oauth2_client_id_,
                                       oauth2_info.scopes,
                                       gaia_mint_token_mode_));
   return mint_token_flow;
 }
 
 bool IdentityGetAuthTokenFunction::HasLoginToken() const {
   ProfileOAuth2TokenService* token_service =
       ProfileOAuth2TokenServiceFactory::GetForProfile(GetProfile());
-  return token_service->RefreshTokenIsAvailable(
-      GetPrimaryAccountId(GetProfile()));
+  return token_service->RefreshTokenIsAvailable(token_key_->account_id);
 }
 
 std::string IdentityGetAuthTokenFunction::MapOAuth2ErrorToDescription(
     const std::string& error) {
   const char kOAuth2ErrorAccessDenied[] = "access_denied";
   const char kOAuth2ErrorInvalidScope[] = "invalid_scope";
 
   if (error == kOAuth2ErrorAccessDenied)
     return std::string(identity_constants::kUserRejected);
   else if (error == kOAuth2ErrorInvalidScope)
@@ skipping 106 matching lines @@
 void IdentityLaunchWebAuthFlowFunction::OnAuthFlowURLChange(
     const GURL& redirect_url) {
   if (redirect_url.GetWithEmptyPath() == final_url_prefix_) {
     SetResult(new base::StringValue(redirect_url.spec()));
     SendResponse(true);
     Release();  // Balanced in RunAsync.
   }
 }
 
 }  // namespace extensions