Skip to content

GitLab

T
tangled
Commit f3bfb66a authored by mnissler@chromium.org's avatar mnissler@chromium.org
Browse files
Options

Wire up the identity API for enterprise Kiosk Apps. 

This allows enterprise-managed Kiosk Apps to mint OAuth2 access tokens
for the device-level robot account via the identity extension API.

BUG=chromium:224594

Review URL: https://chromiumcodereview.appspot.com/17009016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@207835 0039d316-1c4b-4281-b951-d872f2087c98
parent ad775376
Hide whitespace changes
Inline Side-by-side
Showing with 61 additions and 3 deletions
chrome/browser/extensions/api/identity/identity_api.cc
View file @ f3bfb66a
......@@ -18,6 +18,7 @@
#include "chrome/browser/browser_process.h"
#include "chrome/browser/extensions/extension_function_dispatcher.h"
#include "chrome/browser/extensions/extension_service.h"
#include "chrome/browser/policy/browser_policy_connector.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/signin/signin_manager.h"
#include "chrome/browser/signin/signin_manager_factory.h"
......@@ -36,6 +37,8 @@
#if defined(OS_CHROMEOS)
#include "chrome/browser/chromeos/login/user_manager.h"
#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
#endif
namespace extensions {
......@@ -103,6 +106,14 @@ bool IdentityGetAuthTokenFunction::RunImpl() {
// Balanced in CompleteFunctionWithResult|CompleteFunctionWithError
AddRef();
#if defined(OS_CHROMEOS)
if (chromeos::UserManager::Get()->IsLoggedInAsKioskApp() &&
g_browser_process->browser_policy_connector()->IsEnterpriseManaged()) {
StartMintTokenFlow(IdentityMintRequestQueue::MINT_TYPE_NONINTERACTIVE);
return true;
}
#endif
if (!HasLoginToken()) {
if (!should_prompt_for_signin_) {
error_ = identity_constants::kUserNotSignedIn;
......@@ -208,11 +219,21 @@ void IdentityGetAuthTokenFunction::StartMintToken(
case IdentityTokenCacheValue::CACHE_STATUS_NOTFOUND:
#if defined(OS_CHROMEOS)
// Always force minting token for ChromeOS kiosk app.
if (chrome::IsRunningInForcedAppMode()) {
StartGaiaRequest(OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE);
if (chromeos::UserManager::Get()->IsLoggedInAsKioskApp()) {
if (g_browser_process->browser_policy_connector()->
IsEnterpriseManaged()) {
OAuth2TokenService::ScopeSet scope_set(oauth2_info.scopes.begin(),
oauth2_info.scopes.end());
device_token_request_ =
chromeos::DeviceOAuth2TokenServiceFactory::Get()->StartRequest(
scope_set, this);
} else {
StartGaiaRequest(OAuth2MintTokenFlow::MODE_MINT_TOKEN_FORCE);
}
return;
}
#endif
if (oauth2_info.auto_approve)
// oauth2_info.auto_approve is protected by a whitelist in
// _manifest_features.json hence only selected extensions take
......@@ -362,6 +383,32 @@ void IdentityGetAuthTokenFunction::OnGaiaFlowCompleted(
CompleteFunctionWithResult(access_token);
}
void IdentityGetAuthTokenFunction::OnGetTokenSuccess(
const OAuth2TokenService::Request* request,
const std::string& access_token,
const base::Time& expiration_time) {
DCHECK_EQ(device_token_request_.get(), request);
device_token_request_.reset();
const OAuth2Info& oauth2_info = OAuth2Info::GetOAuth2Info(GetExtension());
IdentityTokenCacheValue token(access_token,
expiration_time - base::Time::Now());
IdentityAPI::GetFactoryInstance()->GetForProfile(profile())->SetCachedToken(
GetExtension()->id(), oauth2_info.scopes, token);
CompleteMintTokenFlow();
CompleteFunctionWithResult(access_token);
}
void IdentityGetAuthTokenFunction::OnGetTokenFailure(
const OAuth2TokenService::Request* request,
const GoogleServiceAuthError& error) {
DCHECK_EQ(device_token_request_.get(), request);
device_token_request_.reset();
OnGaiaFlowFailure(GaiaWebAuthFlow::SERVICE_AUTH_ERROR, error, std::string());
}
void IdentityGetAuthTokenFunction::StartGaiaRequest(
OAuth2MintTokenFlow::Mode mode) {
mint_token_flow_.reset(CreateMintTokenFlow(mode));
......
chrome/browser/extensions/api/identity/identity_api.h
View file @ f3bfb66a
......@@ -19,10 +19,12 @@
#include "chrome/browser/extensions/api/identity/web_auth_flow.h"
#include "chrome/browser/extensions/api/profile_keyed_api_factory.h"
#include "chrome/browser/extensions/extension_function.h"
#include "chrome/browser/signin/oauth2_token_service.h"
#include "chrome/browser/signin/signin_global_error.h"
#include "google_apis/gaia/oauth2_mint_token_flow.h"
class GoogleServiceAuthError;
class MockGetAuthTokenFunction;
class Profile;
class SigninManagerBase;
......@@ -65,7 +67,8 @@ class IdentityGetAuthTokenFunction : public AsyncExtensionFunction,
public GaiaWebAuthFlow::Delegate,
public IdentityMintRequestQueue::Request,
public OAuth2MintTokenFlow::Delegate,
public IdentitySigninFlow::Delegate {
public IdentitySigninFlow::Delegate,
public OAuth2TokenService::Consumer {
public:
DECLARE_EXTENSION_FUNCTION("identity.getAuthToken",
EXPERIMENTAL_IDENTITY_GETAUTHTOKEN);
......@@ -116,6 +119,13 @@ class IdentityGetAuthTokenFunction : public AsyncExtensionFunction,
virtual void OnGaiaFlowCompleted(const std::string& access_token,
const std::string& expiration) OVERRIDE;
// OAuth2TokenService::Consumer implementation:
virtual void OnGetTokenSuccess(const OAuth2TokenService::Request* request,
const std::string& access_token,
const base::Time& expiration_time) OVERRIDE;
virtual void OnGetTokenFailure(const OAuth2TokenService::Request* request,
const GoogleServiceAuthError& error) OVERRIDE;
// Starts a mint token request to GAIA.
void StartGaiaRequest(OAuth2MintTokenFlow::Mode mode);
......@@ -147,6 +157,7 @@ class IdentityGetAuthTokenFunction : public AsyncExtensionFunction,
IssueAdviceInfo issue_advice_;
scoped_ptr<GaiaWebAuthFlow> gaia_web_auth_flow_;
scoped_ptr<IdentitySigninFlow> signin_flow_;
scoped_ptr<OAuth2TokenService::Request> device_token_request_;
};
class IdentityRemoveCachedAuthTokenFunction : public SyncExtensionFunction {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment