[signin] Add DICe flow for account consistency requests.

BUG=730029

Review-Url: https://codereview.chromium.org/2923733003
Cr-Commit-Position: refs/heads/master@{#478584}

components/signin/core/browser/BUILD.gn

@@ -32,6 +32,10 @@ static_library("browser") {
     "child_account_info_fetcher_android.h",
     "child_account_info_fetcher_impl.cc",
     "child_account_info_fetcher_impl.h",
+    "chrome_connected_header_helper.cc",
+    "chrome_connected_header_helper.h",
+    "dice_header_helper.cc",
+    "dice_header_helper.h",
     "gaia_cookie_manager_service.cc",
     "gaia_cookie_manager_service.h",
     "profile_identity_provider.cc",
@@ -107,6 +111,13 @@ static_library("browser") {
     ]
   }
 
+  if (is_android || is_ios) {
+    sources -= [
+      "dice_header_helper.cc",
+      "dice_header_helper.h",
+    ]
+  }
+
   if (is_android) {
     sources -= [
       "child_account_info_fetcher_impl.cc",

components/signin/core/browser/chrome_connected_header_helper.cc

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/signin/core/browser/chrome_connected_header_helper.h"
+
+#include <vector>
+
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "base/strings/stringprintf.h"
+#include "components/google/core/browser/google_util.h"
+#include "components/signin/core/common/profile_management_switches.h"
+#include "google_apis/gaia/gaia_auth_util.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "url/gurl.h"
+
+namespace signin {
+
+namespace {
+
+const char kEnableAccountConsistencyAttrName[] = "enable_account_consistency";
+const char kGaiaIdAttrName[] = "id";
+const char kProfileModeAttrName[] = "mode";
+
+}  // namespace
+
+// static
+std::string ChromeConnectedHeaderHelper::BuildRequestCookieIfPossible(
+    const GURL& url,
+    const std::string& account_id,
+    const content_settings::CookieSettings* cookie_settings,
+    int profile_mode_mask) {
+  ChromeConnectedHeaderHelper chrome_connected_helper;
+  return chrome_connected_helper.BuildRequestHeaderIfPossible(
+      false /* is_header_request */, url, account_id, cookie_settings,
+      profile_mode_mask);
+}
+
+bool ChromeConnectedHeaderHelper::IsUrlEligibleToIncludeGaiaId(
+    const GURL& url,
+    bool is_header_request) {
+  if (is_header_request) {
+    // Gaia ID is only necessary for Drive. Don't set it otherwise.
+    return IsDriveOrigin(url.GetOrigin());
+  }
+
+  // Cookie requests don't have the granularity to only include the Gaia ID for
+  // Drive origin. Set it on all google.com instead.
+  if (!url.SchemeIsCryptographic())
+    return false;
+
+  const std::string kGoogleDomain = "google.com";
+  std::string domain = net::registry_controlled_domains::GetDomainAndRegistry(
+      url, net::registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
+  return domain == kGoogleDomain;
+}
+
+bool ChromeConnectedHeaderHelper::IsDriveOrigin(const GURL& url) {
+  if (!url.SchemeIsCryptographic())
+    return false;
+
+  const GURL kGoogleDriveURL("https://drive.google.com");
+  const GURL kGoogleDocsURL("https://docs.google.com");
+  return url == kGoogleDriveURL || url == kGoogleDocsURL;
+}
+
+bool ChromeConnectedHeaderHelper::IsUrlEligibleForRequestHeader(
+    const GURL& url) {
+  // Only set the header for Drive and Gaia always, and other Google properties
+  // if account consistency is enabled. Vasquette, which is integrated with most
+  // Google properties, needs the header to redirect certain user actions to
+  // Chrome native UI. Drive and Gaia need the header to tell if the current
+  // user is connected.
+
+  // Consider the account ID sensitive and limit it to secure domains.
+  if (!url.SchemeIsCryptographic())
+    return false;
+
+  GURL origin(url.GetOrigin());
+  bool is_enable_account_consistency =
+      switches::IsAccountConsistencyMirrorEnabled();
+  bool is_google_url = is_enable_account_consistency &&
+                       (google_util::IsGoogleDomainUrl(
+                            url, google_util::ALLOW_SUBDOMAIN,
+                            google_util::DISALLOW_NON_STANDARD_PORTS) ||
+                        google_util::IsYoutubeDomainUrl(
+                            url, google_util::ALLOW_SUBDOMAIN,
+                            google_util::DISALLOW_NON_STANDARD_PORTS));
+  return is_google_url || IsDriveOrigin(origin) ||
+         gaia::IsGaiaSignonRealm(origin);
+}
+
+std::string ChromeConnectedHeaderHelper::BuildRequestHeader(
+    bool is_header_request,
+    const GURL& url,
+    const std::string& account_id,
+    int profile_mode_mask) {
+  if (account_id.empty())
+    return std::string();
+
+  std::vector<std::string> parts;
+  if (IsUrlEligibleToIncludeGaiaId(url, is_header_request)) {
+    // Only set the Gaia ID on domains that actually requires it.
+    parts.push_back(
+        base::StringPrintf("%s=%s", kGaiaIdAttrName, account_id.c_str()));
+  }
+  parts.push_back(
+      base::StringPrintf("%s=%s", kProfileModeAttrName,
+                         base::IntToString(profile_mode_mask).c_str()));
+  parts.push_back(base::StringPrintf(
+      "%s=%s", kEnableAccountConsistencyAttrName,
+      switches::IsAccountConsistencyMirrorEnabled() ? "true" : "false"));
+
+  return base::JoinString(parts, is_header_request ? "," : ":");
+}
+
+}  // namespace signin

components/signin/core/browser/chrome_connected_header_helper.h

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SIGNIN_CORE_BROWSER_CHROME_CONNECTED_HEADER_HELPER_H_
+#define COMPONENTS_SIGNIN_CORE_BROWSER_CHROME_CONNECTED_HEADER_HELPER_H_
+
+#include <string>
+
+#include "components/signin/core/browser/signin_header_helper.h"
+
+class GURL;
+
+namespace signin {
+
+// SigninHeaderHelper implementation managing the "X-Chrome-Connected" header.
+class ChromeConnectedHeaderHelper : public SigninHeaderHelper {
+ public:
+  ChromeConnectedHeaderHelper() {}
+  ~ChromeConnectedHeaderHelper() override {}
+
+  // Returns the Chrome-Connected cookie, or an empty string if it should not be
+  // added to the request to |url|.
+  static std::string BuildRequestCookieIfPossible(
+      const GURL& url,
+      const std::string& account_id,
+      const content_settings::CookieSettings* cookie_settings,
+      int profile_mode_mask);
+
+ private:
+  // Returns whether the URL is eligible for the Gaia ID parameter.
+  bool IsUrlEligibleToIncludeGaiaId(const GURL& url, bool is_header_request);
+
+  // Returns whether the URL has a Google Drive origin.
+  bool IsDriveOrigin(const GURL& url);
+
+  // SigninHeaderHelper implementation:
+  bool IsUrlEligibleForRequestHeader(const GURL& url) override;
+  std::string BuildRequestHeader(bool is_header_request,
+                                 const GURL& url,
+                                 const std::string& account_id,
+                                 int profile_mode_mask) override;
+};
+
+}  // namespace signin
+
+#endif  // COMPONENTS_SIGNIN_CORE_BROWSER_CHROME_CONNECTED_HEADER_HELPER_H_

components/signin/core/browser/dice_header_helper.cc

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/signin/core/browser/dice_header_helper.h"
+
+#include "components/signin/core/common/profile_management_switches.h"
+#include "google_apis/gaia/gaia_auth_util.h"
+#include "google_apis/gaia/gaia_urls.h"
+#include "url/gurl.h"
+
+namespace signin {
+
+bool DiceHeaderHelper::IsUrlEligibleForRequestHeader(const GURL& url) {
+  if (switches::GetAccountConsistencyMethod() !=
+      switches::AccountConsistencyMethod::kDice) {
+    return false;
+  }
+  return gaia::IsGaiaSignonRealm(url.GetOrigin());
+}
+
+std::string DiceHeaderHelper::BuildRequestHeader(bool is_header_request,
+                                                 const GURL& url,
+                                                 const std::string& account_id,
+                                                 int profile_mode_mask) {
+  return "client_id=" + GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+}
+
+}  // namespace signin

components/signin/core/browser/dice_header_helper.h

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SIGNIN_CORE_BROWSER_DICE_HEADER_HELPER_H_
+#define COMPONENTS_SIGNIN_CORE_BROWSER_DICE_HEADER_HELPER_H_
+
+#include <string>
+
+#include "components/signin/core/browser/signin_header_helper.h"
+
+class GURL;
+
+namespace signin {
+
+// SigninHeaderHelper implementation managing the Dice header.
+class DiceHeaderHelper : public SigninHeaderHelper {
+ public:
+  DiceHeaderHelper() {}
+  ~DiceHeaderHelper() override {}
+
+ private:
+  // SigninHeaderHelper implementation:
+  bool IsUrlEligibleForRequestHeader(const GURL& url) override;
+  std::string BuildRequestHeader(bool is_header_request,
+                                 const GURL& url,
+                                 const std::string& account_id,
+                                 int profile_mode_mask) override;
+};
+
+}  // namespace signin
+
+#endif  // COMPONENTS_SIGNIN_CORE_BROWSER_DICE_HEADER_HELPER_H_

components/signin/core/browser/signin_header_helper.h

@@ -31,12 +31,13 @@ enum ProfileMode {
 };
 
 extern const char kChromeConnectedHeader[];
+extern const char kDiceRequestHeader[];
 
-// The ServiceType specified by GAIA in the response header accompanying the 204
+// The ServiceType specified by Gaia in the response header accompanying the 204
 // response. This indicates the action Chrome is supposed to lead the user to
 // perform.
 enum GAIAServiceType {
-  GAIA_SERVICE_TYPE_NONE = 0,    // No GAIA response header.
+  GAIA_SERVICE_TYPE_NONE = 0,    // No Gaia response header.
   GAIA_SERVICE_TYPE_SIGNOUT,     // Logout all existing sessions.
   GAIA_SERVICE_TYPE_INCOGNITO,   // Open an incognito tab.
   GAIA_SERVICE_TYPE_ADDSESSION,  // Add a secondary account.
@@ -61,9 +62,9 @@ struct ManageAccountsParams {
 
 // iOS has no notion of route and child IDs.
 #if !defined(OS_IOS)
-  // The child id associated with the web content of the request.
+  // The child ID associated with the web content of the request.
   int child_id;
-  // The route id associated with the web content of the request.
+  // The route ID associated with the web content of the request.
   int route_id;
 #endif  // !defined(OS_IOS)
 
@@ -71,6 +72,45 @@ struct ManageAccountsParams {
   ManageAccountsParams(const ManageAccountsParams& other);
 };
 
+// Base class for managing the signin headers (Dice and Chrome-Connected).
+class SigninHeaderHelper {
+ public:
+  // Appends or remove the header to a network request if necessary.
+  bool AppendOrRemoveRequestHeader(
+      net::URLRequest* request,
+      const char* header_name,
+      const GURL& redirect_url,
+      const std::string& account_id,
+      const content_settings::CookieSettings* cookie_settings,
+      int profile_mode_mask);
+
+ protected:
+  SigninHeaderHelper() {}
+  virtual ~SigninHeaderHelper() {}
+
+  // Returns the value of the request header, or empty if the header should not
+  // be added. Calls into BuildRequestHeader() which is customized by
+  // subclasses.
+  std::string BuildRequestHeaderIfPossible(
+      bool is_header_request,
+      const GURL& url,
+      const std::string& account_id,
+      const content_settings::CookieSettings* cookie_settings,
+      int profile_mode_mask);
+
+ private:
+  // Returns whether the url is eligible for the request header.
+  virtual bool IsUrlEligibleForRequestHeader(const GURL& url) = 0;
+
+  // Returns the value of the request header, or empty if the header should not
+  // be added.
+  // The request is assumed to be eligible.
+  virtual std::string BuildRequestHeader(bool is_header_request,
+                                         const GURL& url,
+                                         const std::string& account_id,
+                                         int profile_mode_mask) = 0;
+};
+
 // Returns true if signin cookies are allowed.
 bool SettingsAllowSigninCookies(
     const content_settings::CookieSettings* cookie_settings);
@@ -86,7 +126,7 @@ std::string BuildMirrorRequestCookieIfPossible(
 // Adds account consistency header to all Gaia requests from a connected
 // profile, with the exception of requests from gaia webview.
 // Removes the header in case it should not be transfered to a redirected url.
-bool AppendOrRemoveAccountConsistentyRequestHeader(
+void AppendOrRemoveAccountConsistentyRequestHeader(
     net::URLRequest* request,
     const GURL& redirect_url,
     const std::string& account_id,

components/signin/core/browser/signin_header_helper_unittest.cc

@@ -2,19 +2,28 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "components/signin/core/browser/signin_header_helper.h"
+
 #include <memory>
+#include <string>
 
 #include "base/command_line.h"
 #include "base/message_loop/message_loop.h"
+#include "build/build_config.h"
 #include "components/content_settings/core/browser/cookie_settings.h"
-#include "components/signin/core/browser/signin_header_helper.h"
+#include "components/signin/core/browser/chrome_connected_header_helper.h"
 #include "components/signin/core/common/profile_management_switches.h"
 #include "components/sync_preferences/testing_pref_service_syncable.h"
+#include "google_apis/gaia/gaia_urls.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 
+#if !defined(OS_IOS) && !defined(OS_ANDROID)
+#include "components/signin/core/browser/dice_header_helper.h"
+#endif
+
 class SigninHeaderHelperTest : public testing::Test {
  protected:
   void SetUp() override {
@@ -39,26 +48,56 @@ class SigninHeaderHelperTest : public testing::Test {
               expected_request);
   }
 
-  void CheckMirrorHeaderRequest(const GURL& url,
-                                const std::string& account_id,
-                                const std::string& expected_request) {
-    bool expected_result = !expected_request.empty();
+  std::unique_ptr<net::URLRequest> CreateRequest(
+      const GURL& url,
+      const std::string& account_id) {
     std::unique_ptr<net::URLRequest> url_request =
         url_request_context_.CreateRequest(url, net::DEFAULT_PRIORITY, nullptr,
                                            TRAFFIC_ANNOTATION_FOR_TESTS);
-    EXPECT_EQ(signin::AppendOrRemoveAccountConsistentyRequestHeader(
-                  url_request.get(), GURL(), account_id, cookie_settings_.get(),
-                  signin::PROFILE_MODE_DEFAULT),
-              expected_result);
+    signin::AppendOrRemoveAccountConsistentyRequestHeader(
+        url_request.get(), GURL(), account_id, cookie_settings_.get(),
+        signin::PROFILE_MODE_DEFAULT);
+    return url_request;
+  }
+
+  void CheckAccountConsistencyHeaderRequest(
+      net::URLRequest* url_request,
+      const char* header_name,
+      const std::string& expected_request) {
+    bool expected_result = !expected_request.empty();
     std::string request;
-    EXPECT_EQ(url_request->extra_request_headers().GetHeader(
-                  signin::kChromeConnectedHeader, &request),
-              expected_result);
+    EXPECT_EQ(
+        url_request->extra_request_headers().GetHeader(header_name, &request),
+        expected_result);
     if (expected_result) {
       EXPECT_EQ(expected_request, request);
     }
   }
 
+  void CheckMirrorHeaderRequest(const GURL& url,
+                                const std::string& account_id,
+                                const std::string& expected_request) {
+    std::unique_ptr<net::URLRequest> url_request =
+        CreateRequest(url, account_id);
+    CheckAccountConsistencyHeaderRequest(
+        url_request.get(), signin::kChromeConnectedHeader, expected_request);
+  }
+
+#if !defined(OS_IOS) && !defined(OS_ANDROID)
+  void CheckDiceHeaderRequest(const GURL& url,
+                              const std::string& account_id,
+                              const std::string& expected_mirror_request,
+                              const std::string& expected_dice_request) {
+    std::unique_ptr<net::URLRequest> url_request =
+        CreateRequest(url, account_id);
+    CheckAccountConsistencyHeaderRequest(url_request.get(),
+                                         signin::kChromeConnectedHeader,
+                                         expected_mirror_request);
+    CheckAccountConsistencyHeaderRequest(
+        url_request.get(), signin::kDiceRequestHeader, expected_dice_request);
+  }
+#endif
+
   base::MessageLoop loop_;
 
   sync_preferences::TestingPrefServiceSyncable prefs_;
@@ -118,14 +157,53 @@ TEST_F(SigninHeaderHelperTest, TestMirrorRequestGoogleCom) {
       "id=0123456789:mode=0:enable_account_consistency=true");
 }
 
+// Mirror is always enabled on Android and iOS, so these tests are only relevant
+// on Desktop.
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+
+// Tests that the Mirror request is returned when the target is a Gaia URL, even
+// if account consistency is disabled.
+TEST_F(SigninHeaderHelperTest, TestMirrorRequestGaiaURL) {
+  ASSERT_FALSE(switches::IsAccountConsistencyMirrorEnabled());
+  CheckMirrorHeaderRequest(GURL("https://accounts.google.com"), "0123456789",
+                           "mode=0,enable_account_consistency=false");
+  CheckMirrorCookieRequest(
+      GURL("https://accounts.google.com"), "0123456789",
+      "id=0123456789:mode=0:enable_account_consistency=false");
+}
+
+// Tests Dice requests.
+TEST_F(SigninHeaderHelperTest, TestDiceRequest) {
+  switches::EnableAccountConsistencyDiceForTesting(
+      base::CommandLine::ForCurrentProcess());
+  // ChromeConnected but no Dice for Docs URLs.
+  CheckDiceHeaderRequest(
+      GURL("https://docs.google.com"), "0123456789",
+      "id=0123456789,mode=0,enable_account_consistency=false", "");
+
+  // ChromeConnected and Dice for Gaia URLs.
+  std::string client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+  ASSERT_FALSE(client_id.empty());
+  CheckDiceHeaderRequest(GURL("https://accounts.google.com"), "0123456789",
+                         "mode=0,enable_account_consistency=false",
+                         "client_id=" + client_id);
+
+  // No ChromeConnected and no Dice for other URLs.
+  CheckDiceHeaderRequest(GURL("https://www.google.com"), "0123456789", "", "");
+}
+
+// Tests that no Dice request is returned when Dice is not enabled.
+TEST_F(SigninHeaderHelperTest, TestNoDiceRequestWhenDisabled) {
+  switches::EnableAccountConsistencyMirrorForTesting(
+      base::CommandLine::ForCurrentProcess());
+  CheckDiceHeaderRequest(GURL("https://accounts.google.com"), "0123456789",
+                         "mode=0,enable_account_consistency=true", "");
+}
+
 // Tests that the Mirror request is returned with the GAIA Id on Drive origin,
 // even if account consistency is disabled.
-//
-// Account consistency if always enabled on Android and iOS, so this test is
-// only relevant on Desktop.
-#if !defined(OS_ANDROID) && !defined(OS_IOS)
 TEST_F(SigninHeaderHelperTest, TestMirrorRequestDrive) {
-  DCHECK(!switches::IsAccountConsistencyMirrorEnabled());
+  ASSERT_FALSE(switches::IsAccountConsistencyMirrorEnabled());
   CheckMirrorHeaderRequest(
       GURL("https://docs.google.com/document"), "0123456789",
       "id=0123456789,mode=0,enable_account_consistency=false");
@@ -143,7 +221,8 @@ TEST_F(SigninHeaderHelperTest, TestMirrorRequestDrive) {
       GURL("https://drive.google.com/drive"), "0123456789",
       "id=0123456789:mode=0:enable_account_consistency=true");
 }
-#endif
+
+#endif  // !defined(OS_ANDROID) && !defined(OS_IOS)
 
 // Tests that the Mirror header request is returned normally when the redirect
 // URL is eligible.
@@ -156,9 +235,9 @@ TEST_F(SigninHeaderHelperTest, TestMirrorHeaderEligibleRedirectURL) {
   std::unique_ptr<net::URLRequest> url_request =
       url_request_context_.CreateRequest(url, net::DEFAULT_PRIORITY, nullptr,
                                          TRAFFIC_ANNOTATION_FOR_TESTS);
-  EXPECT_TRUE(signin::AppendOrRemoveAccountConsistentyRequestHeader(
+  signin::AppendOrRemoveAccountConsistentyRequestHeader(
       url_request.get(), redirect_url, account_id, cookie_settings_.get(),
-      signin::PROFILE_MODE_DEFAULT));
+      signin::PROFILE_MODE_DEFAULT);
   EXPECT_TRUE(url_request->extra_request_headers().HasHeader(
       signin::kChromeConnectedHeader));
 }
@@ -174,9 +253,9 @@ TEST_F(SigninHeaderHelperTest, TestMirrorHeaderNonEligibleRedirectURL) {
   std::unique_ptr<net::URLRequest> url_request =
       url_request_context_.CreateRequest(url, net::DEFAULT_PRIORITY, nullptr,
                                          TRAFFIC_ANNOTATION_FOR_TESTS);
-  EXPECT_FALSE(signin::AppendOrRemoveAccountConsistentyRequestHeader(
+  signin::AppendOrRemoveAccountConsistentyRequestHeader(
       url_request.get(), redirect_url, account_id, cookie_settings_.get(),
-      signin::PROFILE_MODE_DEFAULT));
+      signin::PROFILE_MODE_DEFAULT);
   EXPECT_FALSE(url_request->extra_request_headers().HasHeader(
       signin::kChromeConnectedHeader));
 }
@@ -195,9 +274,9 @@ TEST_F(SigninHeaderHelperTest, TestIgnoreMirrorHeaderNonEligibleURLs) {
                                          TRAFFIC_ANNOTATION_FOR_TESTS);
   url_request->SetExtraRequestHeaderByName(signin::kChromeConnectedHeader,
                                            fake_header, false);
-  EXPECT_FALSE(signin::AppendOrRemoveAccountConsistentyRequestHeader(
+  signin::AppendOrRemoveAccountConsistentyRequestHeader(
       url_request.get(), redirect_url, account_id, cookie_settings_.get(),
-      signin::PROFILE_MODE_DEFAULT));
+      signin::PROFILE_MODE_DEFAULT);
   std::string header;
   EXPECT_TRUE(url_request->extra_request_headers().GetHeader(
       signin::kChromeConnectedHeader, &header));

components/signin/core/common/profile_management_switches.cc

@@ -9,22 +9,29 @@
 #include "base/command_line.h"
 #include "base/feature_list.h"
 #include "base/metrics/field_trial.h"
-#include "build/build_config.h"
 #include "components/signin/core/common/signin_switches.h"
 
 namespace switches {
 
-bool IsAccountConsistencyMirrorEnabled() {
+AccountConsistencyMethod GetAccountConsistencyMethod() {
 #if defined(OS_ANDROID) || defined(OS_IOS)
-  // Account consistency is enabled on Android and iOS.
-  return true;
+  // Mirror is enabled on Android and iOS.
+  return AccountConsistencyMethod::kMirror;
 #else
   base::CommandLine* cmd = base::CommandLine::ForCurrentProcess();
-  return cmd->GetSwitchValueASCII(switches::kAccountConsistency) ==
-         switches::kAccountConsistencyMirror;
+  std::string method = cmd->GetSwitchValueASCII(switches::kAccountConsistency);
+  if (method == switches::kAccountConsistencyMirror)
+    return AccountConsistencyMethod::kMirror;
+  if (method == switches::kAccountConsistencyDice)
+    return AccountConsistencyMethod::kDice;
+  return AccountConsistencyMethod::kDisabled;
 #endif  // defined(OS_ANDROID) || defined(OS_IOS)
 }
 
+bool IsAccountConsistencyMirrorEnabled() {
+  return GetAccountConsistencyMethod() == AccountConsistencyMethod::kMirror;
+}
+
 bool IsExtensionsMultiAccount() {
 #if defined(OS_ANDROID) || defined(OS_IOS)
   NOTREACHED() << "Extensions are not enabled on Android or iOS";
@@ -34,7 +41,7 @@ bool IsExtensionsMultiAccount() {
 
   return base::CommandLine::ForCurrentProcess()->HasSwitch(
              switches::kExtensionsMultiAccount) ||
-         IsAccountConsistencyMirrorEnabled();
+         GetAccountConsistencyMethod() == AccountConsistencyMethod::kMirror;
 }
 
 void EnableAccountConsistencyMirrorForTesting(base::CommandLine* command_line) {
@@ -44,4 +51,11 @@ void EnableAccountConsistencyMirrorForTesting(base::CommandLine* command_line) {
 #endif
 }
 
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+void EnableAccountConsistencyDiceForTesting(base::CommandLine* command_line) {
+  command_line->AppendSwitchASCII(switches::kAccountConsistency,
+                                  switches::kAccountConsistencyDice);
+}
+#endif
+
 }  // namespace switches

components/signin/core/common/profile_management_switches.h

@@ -9,14 +9,26 @@
 #ifndef COMPONENTS_SIGNIN_CORE_COMMON_PROFILE_MANAGEMENT_SWITCHES_H_
 #define COMPONENTS_SIGNIN_CORE_COMMON_PROFILE_MANAGEMENT_SWITCHES_H_
 
+#include "build/build_config.h"
+
 namespace base {
 class CommandLine;
 }
 
 namespace switches {
 
+enum class AccountConsistencyMethod {
+  kDisabled,  // No account consistency.
+  kMirror,    // Account management UI in the avatar bubble.
+  kDice       // Account management UI on Gaia webpages.
+};
+
+// Returns the account consistency method.
+AccountConsistencyMethod GetAccountConsistencyMethod();
+
 // Checks whether Mirror account consistency is enabled. If enabled, the account
 // management UI is available in the avatar bubble.
+// DEPRECATED: Use GetAccountConsistencyMethod() instead.
 bool IsAccountConsistencyMirrorEnabled();
 
 // Whether the chrome.identity API should be multi-account.
@@ -25,6 +37,12 @@ bool IsExtensionsMultiAccount();
 // Called in tests to force enable Mirror account consistency.
 void EnableAccountConsistencyMirrorForTesting(base::CommandLine* command_line);
 
+// Dice is only supported on desktop.
+#if !defined(OS_ANDROID) && !defined(OS_IOS)
+// Called in tests to force enable Dice account consistency.
+void EnableAccountConsistencyDiceForTesting(base::CommandLine* command_line);
+#endif
+
 }  // namespace switches
 
 #endif  // COMPONENTS_SIGNIN_CORE_COMMON_PROFILE_MANAGEMENT_SWITCHES_H_

components/signin/core/common/signin_switches.h

@@ -6,6 +6,7 @@
 #define COMPONENTS_SIGNIN_CORE_COMMON_SIGNIN_SWITCHES_H_
 
 #include "base/feature_list.h"
+#include "build/build_config.h"
 
 namespace switches {