Invalidate tokens immediately after Supervision enabled

This ensures that the user will not be able to log back in to the device without going through the initial login screen again. We don't want the user to be able to temporarily log in under the expired tokens if the device hasn't yet received the signal indicating token revocation from the server. Bug: 1000948 Change-Id: Ib373dd0548c9bbe58f6c3cb05766f7c40d97f6e7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1786857Reviewed-by: Mihai Sardarescu <msarda@chromium.org> Reviewed-by: Michael Giuffrida <michaelpg@chromium.org> Commit-Queue: Danan S <danan@chromium.org> Cr-Commit-Position: refs/heads/master@{#693781}

Invalidate tokens immediately after Supervision enabled
This ensures that the user will not be able to log back in to the device without going through the initial login screen again. We don't want the user to be able to temporarily log in under the expired tokens if the device hasn't yet received the signal indicating token revocation from the server. Bug: 1000948 Change-Id: Ib373dd0548c9bbe58f6c3cb05766f7c40d97f6e7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1786857Reviewed-by: Mihai Sardarescu <msarda@chromium.org> Reviewed-by: Michael Giuffrida <michaelpg@chromium.org> Commit-Queue: Danan S <danan@chromium.org> Cr-Commit-Position: refs/heads/master@{#693781}
486d2314 · Danan S · Commit Bot · 76aacb20 · 486d2314 · 486d2314
Commit 486d2314 authored Sep 05, 2019 by Danan S Committed by Commit Bot Sep 05, 2019
3 changed files
--- a/chrome/browser/ui/webui/chromeos/add_supervision/add_supervision_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/add_supervision/add_supervision_handler.cc
@@ -19,8 +19,10 @@
 #include "chrome/browser/ui/app_list/arc/arc_app_utils.h"
 #include "chrome/browser/ui/webui/chromeos/add_supervision/add_supervision_handler_utils.h"
 #include "chrome/services/app_service/public/cpp/app_registry_cache.h"
+#include "components/signin/public/base/signin_metrics.h"
 #include "components/signin/public/identity_manager/access_token_fetcher.h"
 #include "components/signin/public/identity_manager/access_token_info.h"
+#include "components/signin/public/identity_manager/accounts_mutator.h"
 #include "components/signin/public/identity_manager/identity_manager.h"
 #include "content/public/browser/web_ui.h"
 #include "google_apis/gaia/gaia_constants.h"
@@ -94,6 +96,10 @@ void AddSupervisionHandler::NotifySupervisionEnabled() {
      SupervisedUserServiceFactory::GetForProfile(Profile::FromWebUI(web_ui_));
  service->set_signout_required_after_supervision_enabled();
+  identity_manager_->GetAccountsMutator()
+      ->InvalidateRefreshTokenForPrimaryAccount(
+          signin_metrics::SourceForRefreshTokenOperation::
+              kAddSupervision_SupervisionEnabled);
 }
 void AddSupervisionHandler::OnAccessTokenFetchComplete(

--- a/components/signin/internal/identity_manager/profile_oauth2_token_service.cc
+++ b/components/signin/internal/identity_manager/profile_oauth2_token_service.cc
@@ -65,6 +65,8 @@ std::string SourceToString(SourceForRefreshTokenOperation source) {
    case SourceForRefreshTokenOperation::
        kAccountReconcilor_RevokeTokensNotInCookies:
      return "AccountReconcilor::RevokeTokensNotInCookies";
+    case SourceForRefreshTokenOperation::kAddSupervision_SupervisionEnabled:
+      return "AddSupervision::SupervisionEnabled";
  }
 }
 }  // namespace

--- a/components/signin/public/base/signin_metrics.h
+++ b/components/signin/public/base/signin_metrics.h
@@ -311,8 +311,9 @@ enum class SourceForRefreshTokenOperation {
  kMachineLogon_CredentialProvider,
  kTokenService_ExtractCredentials,
  kAccountReconcilor_RevokeTokensNotInCookies,
+  kAddSupervision_SupervisionEnabled,
-  kMaxValue = kAccountReconcilor_RevokeTokensNotInCookies
+  kMaxValue = kAddSupervision_SupervisionEnabled
 };
 // Different types of reporting. This is used as a histogram suffix.