[Trusted vault] Implement access token fetching

This CL adds access token fetching functionality, that can be used on
trusted vault backend sequence. Implementation consists of:

TrustedVaultAccessTokenFetcherFrontend:
 * this class must be used on the UI thread
 * it allows asynchronous access token fetching
 * it supports multiple ongoing FetchAccessToken() calls (e.g. the
 method can be called before |callback| passed to the previous one was
 run)
 * it observes primary account changes and reply with empty access token
 to callbacks which correspond to non-primary account

TrustedVaultAccessTokenFetcherImpl:
 * created on the UI thread and its ownership transferred to the backend
 sequence
 * plumbs backend FetchAccessToken() attempts to the frontend
 * handles invalidation of TrustedVaultAccessTokenFetcherFrontend
 WeakPtr

Bug: 1113597
Change-Id: I72d5962c374b3141d8a20a2ad2a4b42a378bbfde
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2379734
Commit-Queue: Maksim Moskvitin <mmoskvitin@google.com>
Reviewed-by: Marc Treib <treib@chromium.org>
Cr-Commit-Position: refs/heads/master@{#802650}

components/sync/BUILD.gn

@@ -524,6 +524,7 @@ source_set("unit_tests") {
     "trusted_vault/securebox_unittest.cc",
     "trusted_vault/standalone_trusted_vault_backend_unittest.cc",
     "trusted_vault/standalone_trusted_vault_client_unittest.cc",
+    "trusted_vault/trusted_vault_access_token_fetcher_frontend_unittest.cc",
   ]
 
   configs += [ "//build/config:precompiled_headers" ]

components/sync/trusted_vault/BUILD.gn

@@ -11,6 +11,10 @@ static_library("trusted_vault") {
     "standalone_trusted_vault_client.cc",
     "standalone_trusted_vault_client.h",
     "trusted_vault_access_token_fetcher.h",
+    "trusted_vault_access_token_fetcher_frontend.cc",
+    "trusted_vault_access_token_fetcher_frontend.h",
+    "trusted_vault_access_token_fetcher_impl.cc",
+    "trusted_vault_access_token_fetcher_impl.h",
     "trusted_vault_connection.h",
     "trusted_vault_connection_impl.cc",
     "trusted_vault_connection_impl.h",

components/sync/trusted_vault/standalone_trusted_vault_client.cc

@@ -15,7 +15,7 @@
 #include "components/signin/public/identity_manager/account_info.h"
 #include "components/sync/base/bind_to_task_runner.h"
 #include "components/sync/trusted_vault/standalone_trusted_vault_backend.h"
-#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_impl.h"
 #include "components/sync/trusted_vault/trusted_vault_connection_impl.h"
 #include "services/network/public/cpp/shared_url_loader_factory.h"
 
@@ -118,7 +118,8 @@ StandaloneTrustedVaultClient::StandaloneTrustedVaultClient(
     : identity_manager_(identity_manager),
       file_path_(file_path),
       backend_task_runner_(
-          base::ThreadPool::CreateSequencedTaskRunner(kBackendTaskTraits)) {
+          base::ThreadPool::CreateSequencedTaskRunner(kBackendTaskTraits)),
+      access_token_fetcher_frontend_(identity_manager) {
   DCHECK(identity_manager_);
 }
 
@@ -200,16 +201,15 @@ void StandaloneTrustedVaultClient::TriggerLazyInitializationIfNeeded() {
     return;
   }
 
-  // TODO(crbug.com/1113597): populate TrustedVaultAccessTokenFetcher into
-  // TrustedVaultConnectionImpl ctor.
   // TODO(crbug.com/1113598): populate URLLoaderFactory into
   // TrustedVaultConnectionImpl ctor.
   // TODO(crbug.com/1102340): allow setting custom TrustedVaultConnection for
   // testing.
   backend_ = base::MakeRefCounted<StandaloneTrustedVaultBackend>(
-      file_path_,
-      std::make_unique<TrustedVaultConnectionImpl>(
-          /*url_loader_factory=*/nullptr, /*access_token_fetcher=*/nullptr));
+      file_path_, std::make_unique<TrustedVaultConnectionImpl>(
+                      /*url_loader_factory=*/nullptr,
+                      std::make_unique<TrustedVaultAccessTokenFetcherImpl>(
+                          access_token_fetcher_frontend_.GetWeakPtr())));
   backend_task_runner_->PostTask(
       FROM_HERE,
       base::BindOnce(&StandaloneTrustedVaultBackend::ReadDataFromDisk,

components/sync/trusted_vault/standalone_trusted_vault_client.h

@@ -15,6 +15,7 @@
 #include "base/sequenced_task_runner.h"
 #include "components/signin/public/identity_manager/identity_manager.h"
 #include "components/sync/driver/trusted_vault_client.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.h"
 
 struct CoreAccountInfo;
 
@@ -82,6 +83,10 @@ class StandaloneTrustedVaultClient : public TrustedVaultClient {
   // |backend_task_runner_|.
   std::unique_ptr<signin::IdentityManager::Observer> primary_account_observer_;
 
+  // Allows access token fetching for primary account on the ui thread. Passed
+  // as WeakPtr to TrustedVaultAccessTokenFetcherImpl.
+  TrustedVaultAccessTokenFetcherFrontend access_token_fetcher_frontend_;
+
   bool is_recoverability_degraded_for_testing_ = false;
 };
 

components/sync/trusted_vault/trusted_vault_access_token_fetcher.h

@@ -8,9 +8,9 @@
 #include <string>
 
 #include "base/callback.h"
+#include "base/optional.h"
 
 struct CoreAccountId;
-class GoogleServiceAuthError;
 
 namespace signin {
 struct AccessTokenInfo;
@@ -22,9 +22,8 @@ namespace syncer {
 // the UI thread.
 class TrustedVaultAccessTokenFetcher {
  public:
-  using TokenCallback =
-      base::OnceCallback<void(GoogleServiceAuthError error,
-                              signin::AccessTokenInfo access_token_info)>;
+  using TokenCallback = base::OnceCallback<void(
+      base::Optional<signin::AccessTokenInfo> access_token_info)>;
 
   TrustedVaultAccessTokenFetcher() = default;
   TrustedVaultAccessTokenFetcher(const TrustedVaultAccessTokenFetcher& other) =

components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.h"
+
+#include <utility>
+
+#include "components/signin/public/identity_manager/primary_account_access_token_fetcher.h"
+
+namespace syncer {
+
+namespace {
+const char kCryptAuthOAuth2Scope[] =
+    "https://www.googleapis.com/auth/cryptauth";
+}  // namespace
+
+TrustedVaultAccessTokenFetcherFrontend::TrustedVaultAccessTokenFetcherFrontend(
+    signin::IdentityManager* identity_manager)
+    : identity_manager_(identity_manager) {
+  DCHECK(identity_manager_);
+  identity_manager_->AddObserver(this);
+  UpdatePrimaryAccountIfNeeded();
+}
+
+TrustedVaultAccessTokenFetcherFrontend::
+    ~TrustedVaultAccessTokenFetcherFrontend() {
+  identity_manager_->RemoveObserver(this);
+}
+
+base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend>
+TrustedVaultAccessTokenFetcherFrontend::GetWeakPtr() {
+  return weak_ptr_factory_.GetWeakPtr();
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::FetchAccessToken(
+    const CoreAccountId& account_id,
+    TrustedVaultAccessTokenFetcher::TokenCallback callback) {
+  if (account_id != primary_account_) {
+    // The requester is likely not aware of a recent change to the primary
+    // account yet (this is possible because requests come from another
+    // sequence). Run |callback| immediately without access token.
+    std::move(callback).Run(base::nullopt);
+    return;
+  }
+
+  pending_requests_.emplace_back(std::move(callback));
+  if (ongoing_access_token_fetch_ == nullptr) {
+    StartAccessTokenFetch();
+  }
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::OnPrimaryAccountSet(
+    const CoreAccountInfo& primary_account_info) {
+  UpdatePrimaryAccountIfNeeded();
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::OnPrimaryAccountCleared(
+    const CoreAccountInfo& previous_primary_account_info) {
+  UpdatePrimaryAccountIfNeeded();
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::OnUnconsentedPrimaryAccountChanged(
+    const CoreAccountInfo& unconsented_primary_account_info) {
+  UpdatePrimaryAccountIfNeeded();
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::UpdatePrimaryAccountIfNeeded() {
+  CoreAccountInfo primary_account_info =
+      identity_manager_->GetPrimaryAccountInfo(
+          signin::ConsentLevel::kNotRequired);
+  if (primary_account_info.account_id == primary_account_) {
+    return;
+  }
+
+  // Fulfill |pending_requests_| since they belong to the previous
+  // |primary_account_|.
+  FulfillPendingRequests(base::nullopt);
+  ongoing_access_token_fetch_ = nullptr;
+  primary_account_ = primary_account_info.account_id;
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::StartAccessTokenFetch() {
+  DCHECK(!ongoing_access_token_fetch_);
+  ongoing_access_token_fetch_ = std::make_unique<
+      signin::PrimaryAccountAccessTokenFetcher>(
+      /*ouath_consumer_name=*/"TrustedVaultAccessTokenFetcherFrontend",
+      identity_manager_, signin::ScopeSet{kCryptAuthOAuth2Scope},
+      base::BindOnce(
+          &TrustedVaultAccessTokenFetcherFrontend::OnAccessTokenFetchCompleted,
+          base::Unretained(this)),
+      signin::PrimaryAccountAccessTokenFetcher::Mode::kWaitUntilAvailable,
+      signin::ConsentLevel::kNotRequired);
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::OnAccessTokenFetchCompleted(
+    GoogleServiceAuthError error,
+    signin::AccessTokenInfo access_token_info) {
+  ongoing_access_token_fetch_ = nullptr;
+  if (error.state() == GoogleServiceAuthError::NONE) {
+    FulfillPendingRequests(access_token_info);
+  } else {
+    FulfillPendingRequests(base::nullopt);
+  }
+}
+
+void TrustedVaultAccessTokenFetcherFrontend::FulfillPendingRequests(
+    base::Optional<signin::AccessTokenInfo> access_token_info) {
+  for (auto& pending_request : pending_requests_) {
+    std::move(pending_request).Run(access_token_info);
+  }
+  pending_requests_.clear();
+}
+
+}  // namespace syncer

components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_FRONTEND_H_
+#define COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_FRONTEND_H_
+
+#include <memory>
+#include <vector>
+
+#include "base/memory/weak_ptr.h"
+#include "base/optional.h"
+#include "components/signin/public/identity_manager/access_token_info.h"
+#include "components/signin/public/identity_manager/identity_manager.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+#include "google_apis/gaia/core_account_id.h"
+#include "google_apis/gaia/google_service_auth_error.h"
+
+namespace signin {
+class PrimaryAccountAccessTokenFetcher;
+}
+
+namespace syncer {
+
+// Allows fetching access token for primary account on UI thread.
+class TrustedVaultAccessTokenFetcherFrontend
+    : public signin::IdentityManager::Observer {
+ public:
+  // |identity_manager| must not be null and must outlive this object.
+  explicit TrustedVaultAccessTokenFetcherFrontend(
+      signin::IdentityManager* identity_manager);
+  TrustedVaultAccessTokenFetcherFrontend(
+      const TrustedVaultAccessTokenFetcherFrontend& other) = delete;
+  TrustedVaultAccessTokenFetcherFrontend& operator=(
+      const TrustedVaultAccessTokenFetcherFrontend& other) = delete;
+  ~TrustedVaultAccessTokenFetcherFrontend() override;
+
+  // Returns WeakPtr to |this|, pointer will be invalidated inside dtor.
+  base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend> GetWeakPtr();
+
+  // Asynchronously fetches an access token for |account_id|. If |account_id|
+  // doesn't represent current primary account, |callback| is called immediately
+  // with base::nullopt. If primary account changes before access token fetched,
+  // |callback| is called with base::nullopt.
+  void FetchAccessToken(const CoreAccountId& account_id,
+                        TrustedVaultAccessTokenFetcher::TokenCallback callback);
+
+  // signin::IdentityManager::Observer implementation.
+  void OnPrimaryAccountSet(
+      const CoreAccountInfo& primary_account_info) override;
+  void OnPrimaryAccountCleared(
+      const CoreAccountInfo& previous_primary_account_info) override;
+  void OnUnconsentedPrimaryAccountChanged(
+      const CoreAccountInfo& unconsented_primary_account_info) override;
+
+ private:
+  // Updates |primary_account_| and runs |pending_requests_| in case
+  // |primary_account_| was changed.
+  void UpdatePrimaryAccountIfNeeded();
+
+  // Starts new access fetch. |ongoing_access_token_fetch_| must be null when
+  // calling this method.
+  void StartAccessTokenFetch();
+
+  // Handles access token fetch completion. Runs |pending_requests_| with
+  // |access_token_info| on success and with base::nullopt otherwise.
+  void OnAccessTokenFetchCompleted(GoogleServiceAuthError error,
+                                   signin::AccessTokenInfo access_token_info);
+
+  // Helper method to run and clear |pending_requests_|.
+  void FulfillPendingRequests(
+      base::Optional<signin::AccessTokenInfo> access_token_info);
+
+  // Never null.
+  signin::IdentityManager* const identity_manager_;
+
+  // Pending request for an access token. Non-null iff there is a request
+  // ongoing.
+  std::unique_ptr<signin::PrimaryAccountAccessTokenFetcher>
+      ongoing_access_token_fetch_;
+
+  // Current primary account.
+  CoreAccountId primary_account_;
+
+  // Contains callbacks passed to FetchAccessToken which are not yet satisfied.
+  std::vector<TrustedVaultAccessTokenFetcher::TokenCallback> pending_requests_;
+
+  base::WeakPtrFactory<TrustedVaultAccessTokenFetcherFrontend>
+      weak_ptr_factory_{this};
+};
+
+}  // namespace syncer
+
+#endif  // COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_FRONTEND_H_

components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.h"
+
+#include <string>
+
+#include "base/run_loop.h"
+#include "base/test/bind_test_util.h"
+#include "base/test/task_environment.h"
+#include "components/signin/public/identity_manager/access_token_info.h"
+#include "components/signin/public/identity_manager/identity_test_environment.h"
+#include "google_apis/gaia/google_service_auth_error.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace syncer {
+
+namespace {
+
+using testing::Eq;
+using testing::Ne;
+
+class TrustedVaultAccessTokenFetcherFrontendTest : public testing::Test {
+ public:
+  TrustedVaultAccessTokenFetcherFrontendTest()
+      : frontend_(identity_env_.identity_manager()) {}
+  ~TrustedVaultAccessTokenFetcherFrontendTest() override = default;
+
+  TrustedVaultAccessTokenFetcherFrontend* frontend() { return &frontend_; }
+
+  signin::IdentityTestEnvironment* identity_env() { return &identity_env_; }
+
+ private:
+  base::test::TaskEnvironment task_environment_;
+  // |identity_env_| must outlive |frontend_|.
+  signin::IdentityTestEnvironment identity_env_;
+  TrustedVaultAccessTokenFetcherFrontend frontend_;
+};
+
+TEST_F(TrustedVaultAccessTokenFetcherFrontendTest,
+       ShouldFetchAccessTokenForPrimaryAccount) {
+  const CoreAccountId kAccountId =
+      identity_env()->MakePrimaryAccountAvailable("test@gmail.com").account_id;
+  const std::string kAccessToken = "access_token";
+
+  base::Optional<signin::AccessTokenInfo> fetched_access_token;
+  frontend()->FetchAccessToken(
+      kAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token = access_token_info;
+          }));
+  // Access token shouldn't be fetched immediately.
+  EXPECT_THAT(fetched_access_token, Eq(base::nullopt));
+
+  identity_env()->WaitForAccessTokenRequestIfNecessaryAndRespondWithToken(
+      kAccountId, kAccessToken,
+      base::Time::Now() + base::TimeDelta::FromHours(1));
+
+  // Now access token should be fetched.
+  ASSERT_THAT(fetched_access_token, Ne(base::nullopt));
+  EXPECT_THAT(fetched_access_token->token, Eq(kAccessToken));
+}
+
+TEST_F(TrustedVaultAccessTokenFetcherFrontendTest,
+       ShouldFetchAccessTokenForUnconsentedPrimaryAccount) {
+  const CoreAccountId kAccountId =
+      identity_env()
+          ->MakeUnconsentedPrimaryAccountAvailable("test@gmail.com")
+          .account_id;
+  const std::string kAccessToken = "access_token";
+
+  base::Optional<signin::AccessTokenInfo> fetched_access_token;
+  frontend()->FetchAccessToken(
+      kAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token = access_token_info;
+          }));
+  // Access token shouldn't be fetched immediately.
+  EXPECT_THAT(fetched_access_token, Eq(base::nullopt));
+
+  identity_env()->WaitForAccessTokenRequestIfNecessaryAndRespondWithToken(
+      kAccountId, kAccessToken,
+      base::Time::Now() + base::TimeDelta::FromHours(1));
+
+  // Now access token should be fetched.
+  ASSERT_THAT(fetched_access_token, Ne(base::nullopt));
+  EXPECT_THAT(fetched_access_token->token, Eq(kAccessToken));
+}
+
+TEST_F(TrustedVaultAccessTokenFetcherFrontendTest,
+       ShouldRejectFetchAttemptForNonPrimaryAccount) {
+  identity_env()->MakePrimaryAccountAvailable("test1@gmail.com");
+  const CoreAccountId kSecondaryAccountId =
+      identity_env()->MakeAccountAvailable("test2@gmail.com").account_id;
+
+  base::Optional<signin::AccessTokenInfo> fetched_access_token;
+  bool callback_called = false;
+  frontend()->FetchAccessToken(
+      kSecondaryAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token = access_token_info;
+            callback_called = true;
+          }));
+
+  // Fetch should be rejected immediately.
+  EXPECT_TRUE(callback_called);
+  EXPECT_THAT(fetched_access_token, Eq(base::nullopt));
+}
+
+TEST_F(TrustedVaultAccessTokenFetcherFrontendTest,
+       ShouldReplyOnUnsuccessfulFetchAttempt) {
+  const CoreAccountId kAccountId =
+      identity_env()->MakePrimaryAccountAvailable("test@gmail.com").account_id;
+  const std::string kAccessToken = "access_token";
+
+  base::Optional<signin::AccessTokenInfo> fetched_access_token;
+  bool callback_called = false;
+  frontend()->FetchAccessToken(
+      kAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token = access_token_info;
+            callback_called = true;
+          }));
+  // Access token shouldn't be fetched immediately.
+  EXPECT_FALSE(callback_called);
+
+  identity_env()->WaitForAccessTokenRequestIfNecessaryAndRespondWithError(
+      GoogleServiceAuthError::FromUnexpectedServiceResponse("error"));
+
+  EXPECT_TRUE(callback_called);
+  EXPECT_THAT(fetched_access_token, Eq(base::nullopt));
+}
+
+TEST_F(TrustedVaultAccessTokenFetcherFrontendTest, ShouldAllowMultipleFetches) {
+  const CoreAccountId kAccountId =
+      identity_env()->MakePrimaryAccountAvailable("test@gmail.com").account_id;
+  const std::string kAccessToken = "access_token";
+
+  base::Optional<signin::AccessTokenInfo> fetched_access_token1;
+  frontend()->FetchAccessToken(
+      kAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token1 = access_token_info;
+          }));
+  // Start second fetch before the first one completes.
+  base::Optional<signin::AccessTokenInfo> fetched_access_token2;
+  frontend()->FetchAccessToken(
+      kAccountId,
+      base::BindLambdaForTesting(
+          [&](base::Optional<signin::AccessTokenInfo> access_token_info) {
+            fetched_access_token2 = access_token_info;
+          }));
+  // Access token shouldn't be fetched immediately.
+  EXPECT_THAT(fetched_access_token1, Eq(base::nullopt));
+  EXPECT_THAT(fetched_access_token2, Eq(base::nullopt));
+
+  identity_env()->WaitForAccessTokenRequestIfNecessaryAndRespondWithToken(
+      kAccountId, kAccessToken,
+      base::Time::Now() + base::TimeDelta::FromHours(1));
+
+  // Both fetch callbacks should be called.
+  ASSERT_THAT(fetched_access_token1, Ne(base::nullopt));
+  EXPECT_THAT(fetched_access_token1->token, Eq(kAccessToken));
+
+  ASSERT_THAT(fetched_access_token2, Ne(base::nullopt));
+  EXPECT_THAT(fetched_access_token2->token, Eq(kAccessToken));
+}
+
+}  // namespace
+
+}  // namespace syncer

components/sync/trusted_vault/trusted_vault_access_token_fetcher_impl.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_impl.h"
+
+#include <utility>
+
+#include "base/location.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "components/sync/base/bind_to_task_runner.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher_frontend.h"
+
+namespace syncer {
+
+namespace {
+
+// Attempts to fetch access token and immediately run |callback| if |frontend|
+// isn't valid. Must be used on the UI thread.
+void FetchAccessTokenOnUIThread(
+    base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend> frontend,
+    const CoreAccountId& account_id,
+    TrustedVaultAccessTokenFetcher::TokenCallback callback) {
+  if (!frontend) {
+    std::move(callback).Run(base::nullopt);
+  } else {
+    frontend->FetchAccessToken(account_id, std::move(callback));
+  }
+}
+
+}  // namespace
+
+TrustedVaultAccessTokenFetcherImpl::TrustedVaultAccessTokenFetcherImpl(
+    base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend> frontend)
+    : frontend_(frontend) {
+  DCHECK(base::SequencedTaskRunnerHandle::IsSet());
+  ui_thread_task_runner_ = base::SequencedTaskRunnerHandle::Get();
+}
+
+TrustedVaultAccessTokenFetcherImpl::~TrustedVaultAccessTokenFetcherImpl() =
+    default;
+
+void TrustedVaultAccessTokenFetcherImpl::FetchAccessToken(
+    const CoreAccountId& account_id,
+    TokenCallback callback) {
+  ui_thread_task_runner_->PostTask(
+      FROM_HERE,
+      base::BindOnce(FetchAccessTokenOnUIThread, frontend_, account_id,
+                     BindToCurrentSequence(std::move(callback))));
+}
+
+}  // namespace syncer

components/sync/trusted_vault/trusted_vault_access_token_fetcher_impl.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_IMPL_H_
+#define COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_IMPL_H_
+
+#include "base/memory/scoped_refptr.h"
+#include "base/memory/weak_ptr.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+
+namespace base {
+class SequencedTaskRunner;
+}  // namespace base
+
+namespace syncer {
+
+class TrustedVaultAccessTokenFetcherFrontend;
+
+// Must be created on the UI thread, but can be used on any sequence.
+class TrustedVaultAccessTokenFetcherImpl
+    : public TrustedVaultAccessTokenFetcher {
+ public:
+  explicit TrustedVaultAccessTokenFetcherImpl(
+      base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend> frontend);
+  TrustedVaultAccessTokenFetcherImpl(
+      const TrustedVaultAccessTokenFetcherImpl& other) = delete;
+  TrustedVaultAccessTokenFetcherImpl& operator=(
+      const TrustedVaultAccessTokenFetcherImpl& other) = delete;
+  ~TrustedVaultAccessTokenFetcherImpl() override;
+
+  // TrustedVaultAccessTokenFetcher implementation.
+  void FetchAccessToken(const CoreAccountId& account_id,
+                        TokenCallback callback) override;
+
+ private:
+  base::WeakPtr<TrustedVaultAccessTokenFetcherFrontend> frontend_;
+  scoped_refptr<base::SequencedTaskRunner> ui_thread_task_runner_;
+};
+
+}  // namespace syncer
+
+#endif  // COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_IMPL_H_