1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/extensions/api/identity/identity_api.h"
12 #include "base/debug/trace_event.h"
13 #include "base/lazy_instance.h"
14 #include "base/prefs/pref_service.h"
15 #include "base/strings/string_number_conversions.h"
16 #include "base/strings/stringprintf.h"
17 #include "base/values.h"
18 #include "chrome/browser/app_mode/app_mode_utils.h"
19 #include "chrome/browser/browser_process.h"
20 #include "chrome/browser/chrome_notification_types.h"
21 #include "chrome/browser/extensions/extension_service.h"
22 #include "chrome/browser/profiles/profile.h"
23 #include "chrome/browser/signin/chrome_signin_client_factory.h"
24 #include "chrome/browser/signin/profile_oauth2_token_service_factory.h"
25 #include "chrome/browser/signin/signin_manager_factory.h"
26 #include "chrome/browser/ui/webui/signin/login_ui_service_factory.h"
27 #include "chrome/common/extensions/api/identity.h"
28 #include "chrome/common/pref_names.h"
29 #include "chrome/common/url_constants.h"
30 #include "components/signin/core/browser/profile_oauth2_token_service.h"
31 #include "components/signin/core/browser/signin_manager.h"
32 #include "components/signin/core/common/profile_management_switches.h"
33 #include "extensions/browser/event_router.h"
34 #include "extensions/browser/extension_function_dispatcher.h"
35 #include "extensions/common/extension.h"
36 #include "extensions/common/extension_l10n_util.h"
37 #include "extensions/common/manifest_handlers/oauth2_manifest_handler.h"
38 #include "extensions/common/permissions/permission_set.h"
39 #include "extensions/common/permissions/permissions_data.h"
40 #include "google_apis/gaia/gaia_urls.h"
43 #if defined(OS_CHROMEOS)
44 #include "chrome/browser/chromeos/login/session/user_session_manager.h"
45 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
46 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
47 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
48 #include "components/user_manager/user_manager.h"
49 #include "google_apis/gaia/gaia_constants.h"
52 namespace extensions {
54 namespace identity_constants {
55 const char kInvalidClientId[] = "Invalid OAuth2 Client ID.";
56 const char kInvalidScopes[] = "Invalid OAuth2 scopes.";
57 const char kAuthFailure[] = "OAuth2 request failed: ";
58 const char kNoGrant[] = "OAuth2 not granted or revoked.";
59 const char kUserRejected[] = "The user did not approve access.";
60 const char kUserNotSignedIn[] = "The user is not signed in.";
61 const char kInteractionRequired[] = "User interaction required.";
62 const char kInvalidRedirect[] = "Did not redirect to the right URL.";
63 const char kOffTheRecord[] = "Identity API is disabled in incognito windows.";
64 const char kPageLoadFailure[] = "Authorization page could not be loaded.";
65 const char kCanceled[] = "canceled";
67 const int kCachedIssueAdviceTTLSeconds = 1;
68 } // namespace identity_constants
72 static const char kChromiumDomainRedirectUrlPattern[] =
73 "https://%s.chromiumapp.org/";
75 std::string GetPrimaryAccountId(content::BrowserContext* context) {
76 SigninManagerBase* signin_manager =
77 SigninManagerFactory::GetForProfile(Profile::FromBrowserContext(context));
78 return signin_manager->GetAuthenticatedAccountId();
83 namespace identity = api::identity;
85 IdentityTokenCacheValue::IdentityTokenCacheValue()
86 : status_(CACHE_STATUS_NOTFOUND) {}
88 IdentityTokenCacheValue::IdentityTokenCacheValue(
89 const IssueAdviceInfo& issue_advice)
90 : status_(CACHE_STATUS_ADVICE), issue_advice_(issue_advice) {
92 base::Time::Now() + base::TimeDelta::FromSeconds(
93 identity_constants::kCachedIssueAdviceTTLSeconds);
96 IdentityTokenCacheValue::IdentityTokenCacheValue(const std::string& token,
97 base::TimeDelta time_to_live)
98 : status_(CACHE_STATUS_TOKEN), token_(token) {
99 // Remove 20 minutes from the ttl so cached tokens will have some time
100 // to live any time they are returned.
101 time_to_live -= base::TimeDelta::FromMinutes(20);
103 base::TimeDelta zero_delta;
104 if (time_to_live < zero_delta)
105 time_to_live = zero_delta;
107 expiration_time_ = base::Time::Now() + time_to_live;
110 IdentityTokenCacheValue::~IdentityTokenCacheValue() {}
112 IdentityTokenCacheValue::CacheValueStatus IdentityTokenCacheValue::status()
115 return IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND;
120 const IssueAdviceInfo& IdentityTokenCacheValue::issue_advice() const {
121 return issue_advice_;
124 const std::string& IdentityTokenCacheValue::token() const { return token_; }
126 bool IdentityTokenCacheValue::is_expired() const {
127 return status_ == CACHE_STATUS_NOTFOUND ||
128 expiration_time_ < base::Time::Now();
131 const base::Time& IdentityTokenCacheValue::expiration_time() const {
132 return expiration_time_;
135 IdentityAPI::IdentityAPI(content::BrowserContext* context)
136 : browser_context_(context),
137 profile_identity_provider_(
138 SigninManagerFactory::GetForProfile(
139 Profile::FromBrowserContext(context)),
140 ProfileOAuth2TokenServiceFactory::GetForProfile(
141 Profile::FromBrowserContext(context)),
142 LoginUIServiceFactory::GetForProfile(
143 Profile::FromBrowserContext(context))),
144 account_tracker_(&profile_identity_provider_,
145 g_browser_process->system_request_context()) {
146 account_tracker_.AddObserver(this);
149 IdentityAPI::~IdentityAPI() {}
151 IdentityMintRequestQueue* IdentityAPI::mint_queue() { return &mint_queue_; }
153 void IdentityAPI::SetCachedToken(const ExtensionTokenKey& key,
154 const IdentityTokenCacheValue& token_data) {
155 CachedTokens::iterator it = token_cache_.find(key);
156 if (it != token_cache_.end() && it->second.status() <= token_data.status())
157 token_cache_.erase(it);
159 token_cache_.insert(std::make_pair(key, token_data));
162 void IdentityAPI::EraseCachedToken(const std::string& extension_id,
163 const std::string& token) {
164 CachedTokens::iterator it;
165 for (it = token_cache_.begin(); it != token_cache_.end(); ++it) {
166 if (it->first.extension_id == extension_id &&
167 it->second.status() == IdentityTokenCacheValue::CACHE_STATUS_TOKEN &&
168 it->second.token() == token) {
169 token_cache_.erase(it);
175 void IdentityAPI::EraseAllCachedTokens() { token_cache_.clear(); }
177 const IdentityTokenCacheValue& IdentityAPI::GetCachedToken(
178 const ExtensionTokenKey& key) {
179 return token_cache_[key];
182 const IdentityAPI::CachedTokens& IdentityAPI::GetAllCachedTokens() {
186 std::vector<std::string> IdentityAPI::GetAccounts() const {
187 const std::string primary_account_id = GetPrimaryAccountId(browser_context_);
188 const std::vector<gaia::AccountIds> ids = account_tracker_.GetAccounts();
189 std::vector<std::string> gaia_ids;
191 if (switches::IsExtensionsMultiAccount()) {
192 for (std::vector<gaia::AccountIds>::const_iterator it = ids.begin();
195 gaia_ids.push_back(it->gaia);
197 } else if (ids.size() >= 1) {
198 gaia_ids.push_back(ids[0].gaia);
204 std::string IdentityAPI::FindAccountKeyByGaiaId(const std::string& gaia_id) {
205 return account_tracker_.FindAccountIdsByGaiaId(gaia_id).account_key;
208 void IdentityAPI::Shutdown() {
209 FOR_EACH_OBSERVER(ShutdownObserver, shutdown_observer_list_, OnShutdown());
210 account_tracker_.RemoveObserver(this);
211 account_tracker_.Shutdown();
214 static base::LazyInstance<BrowserContextKeyedAPIFactory<IdentityAPI> >
215 g_factory = LAZY_INSTANCE_INITIALIZER;
218 BrowserContextKeyedAPIFactory<IdentityAPI>* IdentityAPI::GetFactoryInstance() {
219 return g_factory.Pointer();
222 void IdentityAPI::OnAccountAdded(const gaia::AccountIds& ids) {
225 void IdentityAPI::OnAccountRemoved(const gaia::AccountIds& ids) {
228 void IdentityAPI::OnAccountSignInChanged(const gaia::AccountIds& ids,
230 api::identity::AccountInfo account_info;
231 account_info.id = ids.gaia;
233 scoped_ptr<base::ListValue> args =
234 api::identity::OnSignInChanged::Create(account_info, is_signed_in);
235 scoped_ptr<Event> event(new Event(api::identity::OnSignInChanged::kEventName,
239 EventRouter::Get(browser_context_)->BroadcastEvent(event.Pass());
242 void IdentityAPI::AddShutdownObserver(ShutdownObserver* observer) {
243 shutdown_observer_list_.AddObserver(observer);
246 void IdentityAPI::RemoveShutdownObserver(ShutdownObserver* observer) {
247 shutdown_observer_list_.RemoveObserver(observer);
250 void IdentityAPI::SetAccountStateForTest(gaia::AccountIds ids,
252 account_tracker_.SetAccountStateForTest(ids, is_signed_in);
256 void BrowserContextKeyedAPIFactory<IdentityAPI>::DeclareFactoryDependencies() {
257 DependsOn(ExtensionsBrowserClient::Get()->GetExtensionSystemFactory());
258 DependsOn(ProfileOAuth2TokenServiceFactory::GetInstance());
261 IdentityGetAccountsFunction::IdentityGetAccountsFunction() {
264 IdentityGetAccountsFunction::~IdentityGetAccountsFunction() {
267 ExtensionFunction::ResponseAction IdentityGetAccountsFunction::Run() {
268 if (GetProfile()->IsOffTheRecord()) {
269 return RespondNow(Error(identity_constants::kOffTheRecord));
272 std::vector<std::string> gaia_ids =
273 IdentityAPI::GetFactoryInstance()->Get(GetProfile())->GetAccounts();
274 DCHECK(gaia_ids.size() < 2 || switches::IsExtensionsMultiAccount());
276 base::ListValue* infos = new base::ListValue();
278 for (std::vector<std::string>::const_iterator it = gaia_ids.begin();
279 it != gaia_ids.end();
281 api::identity::AccountInfo account_info;
282 account_info.id = *it;
283 infos->Append(account_info.ToValue().release());
286 return RespondNow(OneArgument(infos));
289 IdentityGetAuthTokenFunction::IdentityGetAuthTokenFunction()
290 : OAuth2TokenService::Consumer("extensions_identity_api"),
291 should_prompt_for_scopes_(false),
292 should_prompt_for_signin_(false) {
295 IdentityGetAuthTokenFunction::~IdentityGetAuthTokenFunction() {
296 TRACE_EVENT_ASYNC_END0("identity", "IdentityGetAuthTokenFunction", this);
299 bool IdentityGetAuthTokenFunction::RunAsync() {
300 TRACE_EVENT_ASYNC_BEGIN1("identity",
301 "IdentityGetAuthTokenFunction",
306 if (GetProfile()->IsOffTheRecord()) {
307 error_ = identity_constants::kOffTheRecord;
311 scoped_ptr<identity::GetAuthToken::Params> params(
312 identity::GetAuthToken::Params::Create(*args_));
313 EXTENSION_FUNCTION_VALIDATE(params.get());
314 bool interactive = params->details.get() &&
315 params->details->interactive.get() &&
316 *params->details->interactive;
318 should_prompt_for_scopes_ = interactive;
319 should_prompt_for_signin_ = interactive;
321 const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(extension());
323 // Check that the necessary information is present in the manifest.
324 oauth2_client_id_ = GetOAuth2ClientId();
325 if (oauth2_client_id_.empty()) {
326 error_ = identity_constants::kInvalidClientId;
330 std::set<std::string> scopes(oauth2_info.scopes.begin(),
331 oauth2_info.scopes.end());
333 std::string account_key = GetPrimaryAccountId(GetProfile());
335 if (params->details.get()) {
336 if (params->details->account.get()) {
337 std::string detail_key =
338 extensions::IdentityAPI::GetFactoryInstance()
340 ->FindAccountKeyByGaiaId(params->details->account->id);
342 if (detail_key != account_key) {
343 if (detail_key.empty() || !switches::IsExtensionsMultiAccount()) {
344 // TODO(courage): should this be a different error?
345 error_ = identity_constants::kUserNotSignedIn;
349 account_key = detail_key;
353 if (params->details->scopes.get()) {
354 scopes = std::set<std::string>(params->details->scopes->begin(),
355 params->details->scopes->end());
359 if (scopes.size() == 0) {
360 error_ = identity_constants::kInvalidScopes;
365 new ExtensionTokenKey(extension()->id(), account_key, scopes));
367 // From here on out, results must be returned asynchronously.
370 #if defined(OS_CHROMEOS)
371 policy::BrowserPolicyConnectorChromeOS* connector =
372 g_browser_process->platform_part()->browser_policy_connector_chromeos();
373 if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp() &&
374 connector->IsEnterpriseManaged()) {
375 StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
380 if (!HasLoginToken()) {
381 if (!should_prompt_for_signin_) {
382 CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
385 // Display a login prompt.
388 StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
394 void IdentityGetAuthTokenFunction::StartAsyncRun() {
395 // Balanced in CompleteAsyncRun
397 extensions::IdentityAPI::GetFactoryInstance()
399 ->AddShutdownObserver(this);
402 void IdentityGetAuthTokenFunction::CompleteAsyncRun(bool success) {
403 extensions::IdentityAPI::GetFactoryInstance()
405 ->RemoveShutdownObserver(this);
407 SendResponse(success);
408 Release(); // Balanced in StartAsyncRun
411 void IdentityGetAuthTokenFunction::CompleteFunctionWithResult(
412 const std::string& access_token) {
414 SetResult(new base::StringValue(access_token));
415 CompleteAsyncRun(true);
418 void IdentityGetAuthTokenFunction::CompleteFunctionWithError(
419 const std::string& error) {
420 TRACE_EVENT_ASYNC_STEP_PAST1("identity",
421 "IdentityGetAuthTokenFunction",
423 "CompleteFunctionWithError",
427 CompleteAsyncRun(false);
430 void IdentityGetAuthTokenFunction::StartSigninFlow() {
431 // All cached tokens are invalid because the user is not signed in.
432 IdentityAPI* id_api =
433 extensions::IdentityAPI::GetFactoryInstance()->Get(GetProfile());
434 id_api->EraseAllCachedTokens();
435 // Display a login prompt. If the subsequent mint fails, don't display the
436 // login prompt again.
437 should_prompt_for_signin_ = false;
441 void IdentityGetAuthTokenFunction::StartMintTokenFlow(
442 IdentityMintRequestQueue::MintType type) {
443 mint_token_flow_type_ = type;
445 // Flows are serialized to prevent excessive traffic to GAIA, and
446 // to consolidate UI pop-ups.
447 IdentityAPI* id_api =
448 extensions::IdentityAPI::GetFactoryInstance()->Get(GetProfile());
450 if (!should_prompt_for_scopes_) {
451 // Caller requested no interaction.
453 if (type == IdentityMintRequestQueue::MINT_TYPE_INTERACTIVE) {
454 // GAIA told us to do a consent UI.
455 CompleteFunctionWithError(identity_constants::kNoGrant);
458 if (!id_api->mint_queue()->empty(
459 IdentityMintRequestQueue::MINT_TYPE_INTERACTIVE, *token_key_)) {
460 // Another call is going through a consent UI.
461 CompleteFunctionWithError(identity_constants::kNoGrant);
465 id_api->mint_queue()->RequestStart(type, *token_key_, this);
468 void IdentityGetAuthTokenFunction::CompleteMintTokenFlow() {
469 IdentityMintRequestQueue::MintType type = mint_token_flow_type_;
471 extensions::IdentityAPI::GetFactoryInstance()
474 ->RequestComplete(type, *token_key_, this);
477 void IdentityGetAuthTokenFunction::StartMintToken(
478 IdentityMintRequestQueue::MintType type) {
479 TRACE_EVENT_ASYNC_STEP_PAST1("identity",
480 "IdentityGetAuthTokenFunction",
486 const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(extension());
487 IdentityAPI* id_api = IdentityAPI::GetFactoryInstance()->Get(GetProfile());
488 IdentityTokenCacheValue cache_entry = id_api->GetCachedToken(*token_key_);
489 IdentityTokenCacheValue::CacheValueStatus cache_status =
490 cache_entry.status();
492 if (type == IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE) {
493 switch (cache_status) {
494 case IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND:
495 #if defined(OS_CHROMEOS)
496 // Always force minting token for ChromeOS kiosk app.
497 if (user_manager::UserManager::Get()->IsLoggedInAsKioskApp()) {
498 gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE;
499 policy::BrowserPolicyConnectorChromeOS* connector =
500 g_browser_process->platform_part()
501 ->browser_policy_connector_chromeos();
502 if (connector->IsEnterpriseManaged()) {
503 StartDeviceLoginAccessTokenRequest();
505 StartLoginAccessTokenRequest();
511 if (oauth2_info.auto_approve)
512 // oauth2_info.auto_approve is protected by a whitelist in
513 // _manifest_features.json hence only selected extensions take
514 // advantage of forcefully minting the token.
515 gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE;
517 gaia_mint_token_mode_ = OAuth2MintTokenFlow::MODE_MINT_TOKEN_NO_FORCE;
518 StartLoginAccessTokenRequest();
521 case IdentityTokenCacheValue::CACHE_STATUS_TOKEN:
522 CompleteMintTokenFlow();
523 CompleteFunctionWithResult(cache_entry.token());
526 case IdentityTokenCacheValue::CACHE_STATUS_ADVICE:
527 CompleteMintTokenFlow();
528 should_prompt_for_signin_ = false;
529 issue_advice_ = cache_entry.issue_advice();
530 StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_INTERACTIVE);
534 DCHECK(type == IdentityMintRequestQueue::MINT_TYPE_INTERACTIVE);
536 if (cache_status == IdentityTokenCacheValue::CACHE_STATUS_TOKEN) {
537 CompleteMintTokenFlow();
538 CompleteFunctionWithResult(cache_entry.token());
540 ShowOAuthApprovalDialog(issue_advice_);
545 void IdentityGetAuthTokenFunction::OnMintTokenSuccess(
546 const std::string& access_token, int time_to_live) {
547 TRACE_EVENT_ASYNC_STEP_PAST0("identity",
548 "IdentityGetAuthTokenFunction",
550 "OnMintTokenSuccess");
552 IdentityTokenCacheValue token(access_token,
553 base::TimeDelta::FromSeconds(time_to_live));
554 IdentityAPI::GetFactoryInstance()->Get(GetProfile())->SetCachedToken(
557 CompleteMintTokenFlow();
558 CompleteFunctionWithResult(access_token);
561 void IdentityGetAuthTokenFunction::OnMintTokenFailure(
562 const GoogleServiceAuthError& error) {
563 TRACE_EVENT_ASYNC_STEP_PAST1("identity",
564 "IdentityGetAuthTokenFunction",
566 "OnMintTokenFailure",
569 CompleteMintTokenFlow();
571 switch (error.state()) {
572 case GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS:
573 case GoogleServiceAuthError::ACCOUNT_DELETED:
574 case GoogleServiceAuthError::ACCOUNT_DISABLED:
575 // TODO(courage): flush ticket and retry once
576 if (should_prompt_for_signin_) {
577 // Display a login prompt and try again (once).
583 // Return error to caller.
587 CompleteFunctionWithError(
588 std::string(identity_constants::kAuthFailure) + error.ToString());
591 void IdentityGetAuthTokenFunction::OnIssueAdviceSuccess(
592 const IssueAdviceInfo& issue_advice) {
593 TRACE_EVENT_ASYNC_STEP_PAST0("identity",
594 "IdentityGetAuthTokenFunction",
596 "OnIssueAdviceSuccess");
598 IdentityAPI::GetFactoryInstance()->Get(GetProfile())->SetCachedToken(
599 *token_key_, IdentityTokenCacheValue(issue_advice));
600 CompleteMintTokenFlow();
602 should_prompt_for_signin_ = false;
603 // Existing grant was revoked and we used NO_FORCE, so we got info back
604 // instead. Start a consent UI if we can.
605 issue_advice_ = issue_advice;
606 StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_INTERACTIVE);
609 void IdentityGetAuthTokenFunction::SigninSuccess() {
610 TRACE_EVENT_ASYNC_STEP_PAST0("identity",
611 "IdentityGetAuthTokenFunction",
615 // If there was no account associated this profile before the
616 // sign-in, we may not have an account_id in the token_key yet.
617 if (token_key_->account_id.empty()) {
618 token_key_->account_id = GetPrimaryAccountId(GetProfile());
621 StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
624 void IdentityGetAuthTokenFunction::SigninFailed() {
625 TRACE_EVENT_ASYNC_STEP_PAST0("identity",
626 "IdentityGetAuthTokenFunction",
629 CompleteFunctionWithError(identity_constants::kUserNotSignedIn);
632 void IdentityGetAuthTokenFunction::OnGaiaFlowFailure(
633 GaiaWebAuthFlow::Failure failure,
634 GoogleServiceAuthError service_error,
635 const std::string& oauth_error) {
636 CompleteMintTokenFlow();
640 case GaiaWebAuthFlow::WINDOW_CLOSED:
641 error = identity_constants::kUserRejected;
644 case GaiaWebAuthFlow::INVALID_REDIRECT:
645 error = identity_constants::kInvalidRedirect;
648 case GaiaWebAuthFlow::SERVICE_AUTH_ERROR:
649 error = std::string(identity_constants::kAuthFailure) +
650 service_error.ToString();
653 case GaiaWebAuthFlow::OAUTH_ERROR:
654 error = MapOAuth2ErrorToDescription(oauth_error);
657 case GaiaWebAuthFlow::LOAD_FAILED:
658 error = identity_constants::kPageLoadFailure;
662 NOTREACHED() << "Unexpected error from gaia web auth flow: " << failure;
663 error = identity_constants::kInvalidRedirect;
667 CompleteFunctionWithError(error);
670 void IdentityGetAuthTokenFunction::OnGaiaFlowCompleted(
671 const std::string& access_token,
672 const std::string& expiration) {
673 TRACE_EVENT_ASYNC_STEP_PAST0("identity",
674 "IdentityGetAuthTokenFunction",
676 "OnGaiaFlowCompleted");
678 if (!expiration.empty() && base::StringToInt(expiration, &time_to_live)) {
679 IdentityTokenCacheValue token_value(
680 access_token, base::TimeDelta::FromSeconds(time_to_live));
681 IdentityAPI::GetFactoryInstance()->Get(GetProfile())->SetCachedToken(
682 *token_key_, token_value);
685 CompleteMintTokenFlow();
686 CompleteFunctionWithResult(access_token);
689 void IdentityGetAuthTokenFunction::OnGetTokenSuccess(
690 const OAuth2TokenService::Request* request,
691 const std::string& access_token,
692 const base::Time& expiration_time) {
693 TRACE_EVENT_ASYNC_STEP_PAST1("identity",
694 "IdentityGetAuthTokenFunction",
698 request->GetAccountId());
699 login_token_request_.reset();
700 StartGaiaRequest(access_token);
703 void IdentityGetAuthTokenFunction::OnGetTokenFailure(
704 const OAuth2TokenService::Request* request,
705 const GoogleServiceAuthError& error) {
706 TRACE_EVENT_ASYNC_STEP_PAST1("identity",
707 "IdentityGetAuthTokenFunction",
712 login_token_request_.reset();
713 OnGaiaFlowFailure(GaiaWebAuthFlow::SERVICE_AUTH_ERROR, error, std::string());
716 void IdentityGetAuthTokenFunction::OnShutdown() {
717 gaia_web_auth_flow_.reset();
718 signin_flow_.reset();
719 login_token_request_.reset();
720 extensions::IdentityAPI::GetFactoryInstance()
723 ->RequestCancel(*token_key_, this);
724 CompleteFunctionWithError(identity_constants::kCanceled);
727 #if defined(OS_CHROMEOS)
728 void IdentityGetAuthTokenFunction::StartDeviceLoginAccessTokenRequest() {
729 chromeos::DeviceOAuth2TokenService* service =
730 chromeos::DeviceOAuth2TokenServiceFactory::Get();
731 // Since robot account refresh tokens are scoped down to [any-api] only,
732 // request access token for [any-api] instead of login.
733 OAuth2TokenService::ScopeSet scopes;
734 scopes.insert(GaiaConstants::kAnyApiOAuth2Scope);
735 login_token_request_ =
736 service->StartRequest(service->GetRobotAccountId(),
742 void IdentityGetAuthTokenFunction::StartLoginAccessTokenRequest() {
743 ProfileOAuth2TokenService* service =
744 ProfileOAuth2TokenServiceFactory::GetForProfile(GetProfile());
745 #if defined(OS_CHROMEOS)
746 if (chrome::IsRunningInForcedAppMode()) {
747 std::string app_client_id;
748 std::string app_client_secret;
749 if (chromeos::UserSessionManager::GetInstance()->
750 GetAppModeChromeClientOAuthInfo(&app_client_id,
751 &app_client_secret)) {
752 login_token_request_ =
753 service->StartRequestForClient(token_key_->account_id,
756 OAuth2TokenService::ScopeSet(),
762 login_token_request_ = service->StartRequest(
763 token_key_->account_id, OAuth2TokenService::ScopeSet(), this);
766 void IdentityGetAuthTokenFunction::StartGaiaRequest(
767 const std::string& login_access_token) {
768 DCHECK(!login_access_token.empty());
769 mint_token_flow_.reset(CreateMintTokenFlow());
770 mint_token_flow_->Start(GetProfile()->GetRequestContext(),
774 void IdentityGetAuthTokenFunction::ShowLoginPopup() {
775 signin_flow_.reset(new IdentitySigninFlow(this, GetProfile()));
776 signin_flow_->Start();
779 void IdentityGetAuthTokenFunction::ShowOAuthApprovalDialog(
780 const IssueAdviceInfo& issue_advice) {
781 const std::string locale = extension_l10n_util::CurrentLocaleOrDefault();
783 gaia_web_auth_flow_.reset(new GaiaWebAuthFlow(
784 this, GetProfile(), token_key_.get(), oauth2_client_id_, locale));
785 gaia_web_auth_flow_->Start();
788 OAuth2MintTokenFlow* IdentityGetAuthTokenFunction::CreateMintTokenFlow() {
789 SigninClient* signin_client =
790 ChromeSigninClientFactory::GetForProfile(GetProfile());
791 std::string signin_scoped_device_id =
792 signin_client->GetSigninScopedDeviceId();
793 OAuth2MintTokenFlow* mint_token_flow = new OAuth2MintTokenFlow(
795 OAuth2MintTokenFlow::Parameters(
798 std::vector<std::string>(token_key_->scopes.begin(),
799 token_key_->scopes.end()),
800 signin_scoped_device_id,
801 gaia_mint_token_mode_));
802 return mint_token_flow;
805 bool IdentityGetAuthTokenFunction::HasLoginToken() const {
806 ProfileOAuth2TokenService* token_service =
807 ProfileOAuth2TokenServiceFactory::GetForProfile(GetProfile());
808 return token_service->RefreshTokenIsAvailable(token_key_->account_id);
811 std::string IdentityGetAuthTokenFunction::MapOAuth2ErrorToDescription(
812 const std::string& error) {
813 const char kOAuth2ErrorAccessDenied[] = "access_denied";
814 const char kOAuth2ErrorInvalidScope[] = "invalid_scope";
816 if (error == kOAuth2ErrorAccessDenied)
817 return std::string(identity_constants::kUserRejected);
818 else if (error == kOAuth2ErrorInvalidScope)
819 return std::string(identity_constants::kInvalidScopes);
821 return std::string(identity_constants::kAuthFailure) + error;
824 std::string IdentityGetAuthTokenFunction::GetOAuth2ClientId() const {
825 const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(extension());
826 std::string client_id = oauth2_info.client_id;
828 // Component apps using auto_approve may use Chrome's client ID by
829 // omitting the field.
830 if (client_id.empty() && extension()->location() == Manifest::COMPONENT &&
831 oauth2_info.auto_approve) {
832 client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
837 IdentityGetProfileUserInfoFunction::IdentityGetProfileUserInfoFunction() {
840 IdentityGetProfileUserInfoFunction::~IdentityGetProfileUserInfoFunction() {
843 ExtensionFunction::ResponseAction IdentityGetProfileUserInfoFunction::Run() {
844 if (GetProfile()->IsOffTheRecord()) {
845 return RespondNow(Error(identity_constants::kOffTheRecord));
848 api::identity::ProfileUserInfo profile_user_info;
849 if (extension()->permissions_data()->HasAPIPermission(
850 APIPermission::kIdentityEmail)) {
851 profile_user_info.email =
852 GetProfile()->GetPrefs()->GetString(prefs::kGoogleServicesUsername);
854 profile_user_info.id =
855 GetProfile()->GetPrefs()->GetString(prefs::kGoogleServicesUserAccountId);
857 return RespondNow(OneArgument(profile_user_info.ToValue().release()));
860 IdentityRemoveCachedAuthTokenFunction::IdentityRemoveCachedAuthTokenFunction() {
863 IdentityRemoveCachedAuthTokenFunction::
864 ~IdentityRemoveCachedAuthTokenFunction() {
867 bool IdentityRemoveCachedAuthTokenFunction::RunSync() {
868 if (GetProfile()->IsOffTheRecord()) {
869 error_ = identity_constants::kOffTheRecord;
873 scoped_ptr<identity::RemoveCachedAuthToken::Params> params(
874 identity::RemoveCachedAuthToken::Params::Create(*args_));
875 EXTENSION_FUNCTION_VALIDATE(params.get());
876 IdentityAPI::GetFactoryInstance()->Get(GetProfile())->EraseCachedToken(
877 extension()->id(), params->details.token);
881 IdentityLaunchWebAuthFlowFunction::IdentityLaunchWebAuthFlowFunction() {}
883 IdentityLaunchWebAuthFlowFunction::~IdentityLaunchWebAuthFlowFunction() {
885 auth_flow_.release()->DetachDelegateAndDelete();
888 bool IdentityLaunchWebAuthFlowFunction::RunAsync() {
889 if (GetProfile()->IsOffTheRecord()) {
890 error_ = identity_constants::kOffTheRecord;
894 scoped_ptr<identity::LaunchWebAuthFlow::Params> params(
895 identity::LaunchWebAuthFlow::Params::Create(*args_));
896 EXTENSION_FUNCTION_VALIDATE(params.get());
898 GURL auth_url(params->details.url);
899 WebAuthFlow::Mode mode =
900 params->details.interactive && *params->details.interactive ?
901 WebAuthFlow::INTERACTIVE : WebAuthFlow::SILENT;
903 // Set up acceptable target URLs. (Does not include chrome-extension
904 // scheme for this version of the API.)
905 InitFinalRedirectURLPrefix(extension()->id());
907 AddRef(); // Balanced in OnAuthFlowSuccess/Failure.
909 auth_flow_.reset(new WebAuthFlow(this, GetProfile(), auth_url, mode));
914 void IdentityLaunchWebAuthFlowFunction::InitFinalRedirectURLPrefixForTest(
915 const std::string& extension_id) {
916 InitFinalRedirectURLPrefix(extension_id);
919 void IdentityLaunchWebAuthFlowFunction::InitFinalRedirectURLPrefix(
920 const std::string& extension_id) {
921 if (final_url_prefix_.is_empty()) {
922 final_url_prefix_ = GURL(base::StringPrintf(
923 kChromiumDomainRedirectUrlPattern, extension_id.c_str()));
927 void IdentityLaunchWebAuthFlowFunction::OnAuthFlowFailure(
928 WebAuthFlow::Failure failure) {
930 case WebAuthFlow::WINDOW_CLOSED:
931 error_ = identity_constants::kUserRejected;
933 case WebAuthFlow::INTERACTION_REQUIRED:
934 error_ = identity_constants::kInteractionRequired;
936 case WebAuthFlow::LOAD_FAILED:
937 error_ = identity_constants::kPageLoadFailure;
940 NOTREACHED() << "Unexpected error from web auth flow: " << failure;
941 error_ = identity_constants::kInvalidRedirect;
945 Release(); // Balanced in RunAsync.
948 void IdentityLaunchWebAuthFlowFunction::OnAuthFlowURLChange(
949 const GURL& redirect_url) {
950 if (redirect_url.GetWithEmptyPath() == final_url_prefix_) {
951 SetResult(new base::StringValue(redirect_url.spec()));
953 Release(); // Balanced in RunAsync.
957 } // namespace extensions