CrOS login: Use Views pods to check owner credentials.

During Kiosk app launch we might need to configure network. This is guarded by the owner authentication (in case of consumer kiosk). Before this CL it used WebUI AccountPicker screen. This CL moves it to the current User pod screen implementation Bug: 1071779 Change-Id: Iaa1665e8d588d4df0beb5459365159a8292c08f9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2540983 Commit-Queue: Roman Sorokin [CET] <rsorokin@chromium.org> Commit-Queue: Denis Kuznetsov [CET] <antrim@chromium.org> Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org> Cr-Commit-Position: refs/heads/master@{#829187}

CrOS login: Use Views pods to check owner credentials.
During Kiosk app launch we might need to configure network. This is guarded by the owner authentication (in case of consumer kiosk). Before this CL it used WebUI AccountPicker screen. This CL moves it to the current User pod screen implementation Bug: 1071779 Change-Id: Iaa1665e8d588d4df0beb5459365159a8292c08f9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2540983 Commit-Queue: Roman Sorokin [CET] <rsorokin@chromium.org> Commit-Queue: Denis Kuznetsov [CET] <antrim@chromium.org> Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org> Cr-Commit-Position: refs/heads/master@{#829187}
f45d9abb · Roman Sorokin · Commit Bot · 4bdcbcc7 · f45d9abb · 4bdcbcc7
Commit f45d9abb authored Nov 19, 2020 by Roman Sorokin Committed by Commit Bot Nov 19, 2020
16 changed files
--- a/chrome/browser/chromeos/BUILD.gn
+++ b/chrome/browser/chromeos/BUILD.gn
@@ -1536,8 +1536,6 @@ source_set("chromeos") {
    "lock_screen_apps/toast_dialog_view.h",
    "logging.cc",
    "logging.h",
-    "login/app_mode/app_launch_signin_screen.cc",
-    "login/app_mode/app_launch_signin_screen.h",
    "login/app_mode/kiosk_launch_controller.cc",
    "login/app_mode/kiosk_launch_controller.h",
    "login/auth/auth_prewarmer.cc",

--- a/chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.cc
+++ b/chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.cc
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h"
-
-#include <memory>
-#include <utility>
-
-#include "base/bind.h"
-#include "base/values.h"
-#include "chrome/browser/chromeos/login/help_app_launcher.h"
-#include "chrome/browser/chromeos/login/screens/user_selection_screen.h"
-#include "chrome/browser/chromeos/login/session/user_session_manager.h"
-#include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
-#include "chrome/grit/generated_resources.h"
-#include "chromeos/components/proximity_auth/screenlock_bridge.h"
-#include "chromeos/login/auth/user_context.h"
-#include "components/user_manager/user_manager.h"
-#include "content/public/browser/browser_task_traits.h"
-#include "content/public/browser/browser_thread.h"
-#include "content/public/browser/web_ui.h"
-#include "ui/base/l10n/l10n_util.h"
-
-namespace chromeos {
-
-user_manager::UserManager* AppLaunchSigninScreen::test_user_manager_ = NULL;
-
-AppLaunchSigninScreen::AppLaunchSigninScreen(OobeUI* oobe_ui,
-                                             Delegate* delegate)
-    : oobe_ui_(oobe_ui), delegate_(delegate), webui_handler_(NULL) {}
-
-AppLaunchSigninScreen::~AppLaunchSigninScreen() {
-  oobe_ui_->ResetSigninScreenHandlerDelegate();
-}
-
-void AppLaunchSigninScreen::Show() {
-  InitOwnerUserList();
-  oobe_ui_->web_ui()->CallJavascriptFunctionUnsafe(
-      "login.AccountPickerScreen.setShouldShowApps", base::Value(false));
-  oobe_ui_->ShowSigninScreen(this);
-}
-
-void AppLaunchSigninScreen::InitOwnerUserList() {
-  user_manager::UserManager* user_manager = GetUserManager();
-  const std::string& owner_email =
-      user_manager->GetOwnerAccountId().GetUserEmail();
-  const user_manager::UserList& all_users = user_manager->GetUsers();
-
-  owner_user_list_.clear();
-  for (user_manager::UserList::const_iterator it = all_users.begin();
-       it != all_users.end(); ++it) {
-    user_manager::User* user = *it;
-    if (user->GetAccountId().GetUserEmail() == owner_email) {
-      owner_user_list_.push_back(user);
-      break;
-    }
-  }
-}
-
-// static
-void AppLaunchSigninScreen::SetUserManagerForTesting(
-    user_manager::UserManager* user_manager) {
-  test_user_manager_ = user_manager;
-}
-
-user_manager::UserManager* AppLaunchSigninScreen::GetUserManager() {
-  return test_user_manager_ ? test_user_manager_
-                            : user_manager::UserManager::Get();
-}
-
-void AppLaunchSigninScreen::CancelUserAdding() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::Login(const UserContext& user_context,
-                                  const SigninSpecifics& specifics) {
-  // Note: CreateAuthenticator doesn't necessarily create
-  // a new Authenticator object, and could reuse an existing one.
-  authenticator_ = UserSessionManager::GetInstance()->CreateAuthenticator(this);
-  content::GetUIThreadTaskRunner({})->PostTask(
-      FROM_HERE, base::BindOnce(&Authenticator::AuthenticateToUnlock,
-                                authenticator_.get(), user_context));
-}
-
-void AppLaunchSigninScreen::OnSigninScreenReady() {}
-
-void AppLaunchSigninScreen::ShowEnterpriseEnrollmentScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowKioskEnableScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowKioskAutolaunchScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowWrongHWIDScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::SetWebUIHandler(
-    LoginDisplayWebUIHandler* webui_handler) {
-  webui_handler_ = webui_handler;
-}
-
-const user_manager::UserList& AppLaunchSigninScreen::GetUsers() const {
-  if (test_user_manager_) {
-    return test_user_manager_->GetUsers();
-  }
-  return owner_user_list_;
-}
-
-bool AppLaunchSigninScreen::IsShowUsers() const {
-  return true;
-}
-
-bool AppLaunchSigninScreen::ShowUsersHasChanged() const {
-  return false;
-}
-
-bool AppLaunchSigninScreen::AllowNewUserChanged() const {
-  return false;
-}
-
-bool AppLaunchSigninScreen::IsSigninInProgress() const {
-  // Return true to suppress network processing in the signin screen.
-  return true;
-}
-
-bool AppLaunchSigninScreen::IsUserSigninCompleted() const {
-  return false;
-}
-
-void AppLaunchSigninScreen::OnAuthFailure(const AuthFailure& error) {
-  LOG(ERROR) << "Unlock failure: " << error.reason();
-  webui_handler_->ClearAndEnablePassword();
-  webui_handler_->ShowError(
-      0, l10n_util::GetStringUTF8(IDS_LOGIN_ERROR_AUTHENTICATING_KIOSK),
-      std::string(), HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT);
-}
-
-void AppLaunchSigninScreen::OnAuthSuccess(const UserContext& user_context) {
-  delegate_->OnOwnerSigninSuccess();
-}
-
-void AppLaunchSigninScreen::HandleGetUsers() {
-  base::ListValue users_list;
-  const user_manager::UserList& users = GetUsers();
-
-  for (user_manager::UserList::const_iterator it = users.begin();
-       it != users.end(); ++it) {
-    proximity_auth::mojom::AuthType initial_auth_type =
-        UserSelectionScreen::ShouldForceOnlineSignIn(*it)
-            ? proximity_auth::mojom::AuthType::ONLINE_SIGN_IN
-            : proximity_auth::mojom::AuthType::OFFLINE_PASSWORD;
-    auto user_dict = std::make_unique<base::DictionaryValue>();
-    UserSelectionScreen::FillUserDictionary(
-        *it, true,               /* is_owner */
-        false,                   /* is_signin_to_add */
-        initial_auth_type, NULL, /* public_session_recommended_locales */
-        user_dict.get());
-    users_list.Append(std::move(user_dict));
-  }
-
-  webui_handler_->LoadUsers(users, users_list);
-}
-
-void AppLaunchSigninScreen::CheckUserStatus(const AccountId& account_id) {}
-
-}  // namespace chromeos
--- a/chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h
+++ b/chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_
-#define CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_
-
-#include <string>
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
-#include "chromeos/components/proximity_auth/screenlock_bridge.h"
-#include "chromeos/login/auth/auth_status_consumer.h"
-#include "chromeos/login/auth/authenticator.h"
-#include "components/user_manager/user.h"
-#include "components/user_manager/user_manager.h"
-
-class AccountId;
-
-namespace chromeos {
-
-class OobeUI;
-
-// The app launch signin screen shows the user pod of the device owner
-// and requires the user to login in order to access the network dialog.
-// This screen is quite similar to the standard lock screen, but we do not
-// create a new view to superimpose over the desktop.
-//
-// TODO(tengs): This class doesn't quite follow the idiom of the other
-// screen classes, as SigninScreenHandler is very tightly coupled with
-// the login screen. We should do some refactoring in this area.
-class AppLaunchSigninScreen : public SigninScreenHandlerDelegate,
-                              public AuthStatusConsumer {
- public:
-  class Delegate {
-   public:
-    virtual void OnOwnerSigninSuccess() = 0;
-
-   protected:
-    virtual ~Delegate() {}
-  };
-
-  AppLaunchSigninScreen(OobeUI* oobe_ui, Delegate* delegate);
-  ~AppLaunchSigninScreen() override;
-
-  void Show();
-
-  static void SetUserManagerForTesting(user_manager::UserManager* user_manager);
-
- private:
-  void InitOwnerUserList();
-  user_manager::UserManager* GetUserManager();
-  const user_manager::UserList& GetUsers() const;
-
-  // SigninScreenHandlerDelegate implementation:
-  void CancelUserAdding() override;
-  void Login(const UserContext& user_context,
-             const SigninSpecifics& specifics) override;
-  void OnSigninScreenReady() override;
-  void ShowEnterpriseEnrollmentScreen() override;
-  void ShowKioskEnableScreen() override;
-  void ShowKioskAutolaunchScreen() override;
-  void ShowWrongHWIDScreen() override;
-  void SetWebUIHandler(LoginDisplayWebUIHandler* webui_handler) override;
-  bool IsShowUsers() const override;
-  bool ShowUsersHasChanged() const override;
-  bool AllowNewUserChanged() const override;
-  bool IsSigninInProgress() const override;
-  bool IsUserSigninCompleted() const override;
-  void HandleGetUsers() override;
-  void CheckUserStatus(const AccountId& account_id) override;
-
-  // AuthStatusConsumer implementation:
-  void OnAuthFailure(const AuthFailure& error) override;
-  void OnAuthSuccess(const UserContext& user_context) override;
-
-  OobeUI* oobe_ui_;
-  Delegate* delegate_;
-  LoginDisplayWebUIHandler* webui_handler_;
-  scoped_refptr<Authenticator> authenticator_;
-
-  // This list should have at most one user, and that user should be the owner.
-  user_manager::UserList owner_user_list_;
-
-  static user_manager::UserManager* test_user_manager_;
-
-  DISALLOW_COPY_AND_ASSIGN(AppLaunchSigninScreen);
-};
-
-}  // namespace chromeos
-
-#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_
--- a/chrome/browser/chromeos/login/app_mode/kiosk_browsertest.cc
+++ b/chrome/browser/chromeos/login/app_mode/kiosk_browsertest.cc
@@ -52,7 +52,6 @@
 #include "chrome/browser/chromeos/login/test/test_condition_waiter.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host_webui.h"
-#include "chrome/browser/chromeos/login/users/mock_user_manager.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/ownership/fake_owner_settings_service.h"
 #include "chrome/browser/chromeos/policy/device_local_account.h"
@@ -60,6 +59,7 @@
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/scoped_cros_settings_test_helper.h"
 #include "chrome/browser/chromeos/settings/scoped_testing_cros_settings.h"
+#include "chrome/browser/chromeos/settings/stub_cros_settings_provider.h"
 #include "chrome/browser/device_identity/device_oauth2_token_service.h"
 #include "chrome/browser/device_identity/device_oauth2_token_service_factory.h"
 #include "chrome/browser/extensions/browsertest_util.h"
@@ -501,7 +501,6 @@ class KioskTest : public OobeBaseTest {
    set_test_app_version("1.0.0");
    set_test_crx_file(test_app_id() + ".crx");
    needs_background_networking_ = true;
-    mock_user_manager_.reset(new MockUserManager);
    ProfileHelper::SetAlwaysReturnPrimaryUserForTesting(true);
    skip_splash_wait_override_ =
        KioskLaunchController::SkipSplashScreenWaitForTesting();
@@ -533,7 +532,6 @@ class KioskTest : public OobeBaseTest {
    owner_settings_service_.reset();
    settings_helper_.RestoreRealDeviceSettingsProvider();
    KioskLaunchController::SetNetworkTimeoutCallbackForTesting(nullptr);
-    AppLaunchSigninScreen::SetUserManagerForTesting(nullptr);

    OobeBaseTest::TearDownOnMainThread();

@@ -582,24 +580,7 @@ class KioskTest : public OobeBaseTest {
                                             owner_settings_service_.get());
  }

-  void StartUIForAppLaunch() {
-    if (use_consumer_kiosk_mode_)
-      EnableConsumerKioskMode();
-
-    // Start UI
-    chromeos::WizardController::SkipPostLoginScreensForTesting();
-    chromeos::WizardController* wizard_controller =
-        chromeos::WizardController::default_controller();
-    if (wizard_controller)
-      wizard_controller->SkipToLoginForTesting();
-
-    OobeScreenWaiter(GaiaView::kScreenId).Wait();
-  }
-
  void PrepareAppLaunch() {
-    // Start UI
-    StartUIForAppLaunch();
-
    // Wait for the Kiosk App configuration to reload.
    int ui_update_count = ash::LoginScreenTestApi::GetUiUpdateCount();
    ReloadKioskApps();
@@ -703,7 +684,7 @@ class KioskTest : public OobeBaseTest {

    runner->Run();

-    CHECK(GetKioskLaunchController()->network_wait_timedout());
+    ASSERT_TRUE(GetKioskLaunchController()->network_wait_timedout());
  }

  void EnableConsumerKioskMode() {
@@ -724,15 +705,12 @@ class KioskTest : public OobeBaseTest {
    KioskAppManager::Get()->GetConsumerKioskAutoLaunchStatus(base::BindOnce(
        &ConsumerKioskAutoLaunchStatusCheck, &status, runner->QuitClosure()));
    runner->Run();
-    CHECK_NE(status,
-             static_cast<KioskAppManager::ConsumerKioskAutoLaunchStatus>(-1));
+    EXPECT_NE(status,
+              static_cast<KioskAppManager::ConsumerKioskAutoLaunchStatus>(-1));
    return status;
  }

  void RunAppLaunchNetworkDownTest() {
-    mock_user_manager()->SetActiveUser(test_owner_account_id_);
-    AppLaunchSigninScreen::SetUserManagerForTesting(mock_user_manager());
-
    // Mock network could be configured with owner's password.
    ScopedCanConfigureNetwork can_configure_network(true, true);

@@ -746,24 +724,20 @@ class KioskTest : public OobeBaseTest {
    // Configure network link should be visible.
    test::OobeJS().ExpectVisiblePath(kConfigNetwork);

-    // Set up fake user manager with an owner for the test.
-    LoginDisplayHost::default_host()->GetOobeUI()->ShowOobeUI(false);
-
    // Configure network should bring up lock screen for owner.
-    OobeScreenWaiter lock_screen_waiter(OobeScreen::SCREEN_ACCOUNT_PICKER);
    static_cast<AppLaunchSplashScreenView::Delegate*>(
        GetKioskLaunchController())
        ->OnConfigureNetwork();
-    lock_screen_waiter.Wait();
-
+    EXPECT_FALSE(ash::LoginScreenTestApi::IsOobeDialogVisible());
    // There should be only one owner pod on this screen.
-    test::OobeJS().ExpectTrue("$('pod-row').alwaysFocusSinglePod");
+    EXPECT_EQ(ash::LoginScreenTestApi::GetUsersCount(), 1);

    // A network error screen should be shown after authenticating.
    OobeScreenWaiter error_screen_waiter(ErrorScreenView::kScreenId);
-    static_cast<AppLaunchSigninScreen::Delegate*>(GetKioskLaunchController())
-        ->OnOwnerSigninSuccess();
+    ash::LoginScreenTestApi::SubmitPassword(test_owner_account_id_, "password",
+                                            /*check_if_submittable=*/true);
    error_screen_waiter.Wait();
+    EXPECT_TRUE(ash::LoginScreenTestApi::IsOobeDialogVisible());

    ASSERT_TRUE(GetKioskLaunchController()->showing_network_dialog());

@@ -834,8 +808,6 @@ class KioskTest : public OobeBaseTest {
    test::OobeJS().CreateVisibilityWaiter(visibility, {"autolaunch"})->Wait();
  }

-  MockUserManager* mock_user_manager() { return mock_user_manager_.get(); }
-
  void set_test_app_id(const std::string& test_app_id) {
    test_app_id_ = test_app_id;
  }
@@ -856,7 +828,7 @@ class KioskTest : public OobeBaseTest {
  std::unique_ptr<FakeOwnerSettingsService> owner_settings_service_;

  const AccountId test_owner_account_id_ =
-      AccountId::FromUserEmail(kTestOwnerEmail);
+      AccountId::FromUserEmailGaiaId(kTestOwnerEmail, "111");

  NetworkPortalDetectorMixin network_portal_detector_{&mixin_host_};

@@ -870,7 +842,6 @@ class KioskTest : public OobeBaseTest {
  std::string test_app_version_;
  std::string test_crx_file_;
  std::unique_ptr<FakeCWS> fake_cws_;
-  std::unique_ptr<MockUserManager> mock_user_manager_;

  std::unique_ptr<base::AutoReset<bool>> skip_splash_wait_override_;
  std::unique_ptr<base::AutoReset<base::TimeDelta>> network_wait_override_;
@@ -879,7 +850,23 @@ class KioskTest : public OobeBaseTest {
  DISALLOW_COPY_AND_ASSIGN(KioskTest);
 };

-IN_PROC_BROWSER_TEST_F(KioskTest, InstallAndLaunchApp) {
+class KioskDeviceOwnedTest : public KioskTest {
+ public:
+  KioskDeviceOwnedTest() {
+    settings_helper_.Set(kDeviceOwner,
+                         base::Value(test_owner_account_id_.GetUserEmail()));
+    login_manager_.AppendRegularUsers(1);
+  }
+
+ protected:
+  LoginManagerMixin login_manager_{
+      &mixin_host_,
+      {{LoginManagerMixin::TestUserInfo{test_owner_account_id_}}}};
+  DeviceStateMixin device_state_{
+      &mixin_host_, DeviceStateMixin::State::OOBE_COMPLETED_CONSUMER_OWNED};
+};
+
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, InstallAndLaunchApp) {
  StartAppLaunchFromLoginScreen(
      NetworkPortalDetector::CAPTIVE_PORTAL_STATUS_ONLINE);
  WaitForAppLaunchSuccess();
@@ -889,7 +876,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, InstallAndLaunchApp) {
  EXPECT_EQ(extensions::Manifest::EXTERNAL_PREF, GetInstalledAppLocation());
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, VirtualKeyboardFeaturesEnabledByDefault) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest,
+                       VirtualKeyboardFeaturesEnabledByDefault) {
  StartAppLaunchFromLoginScreen(
      NetworkPortalDetector::CAPTIVE_PORTAL_STATUS_ONLINE);
  WaitForAppLaunchSuccess();
@@ -907,7 +895,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, VirtualKeyboardFeaturesEnabledByDefault) {
  EXPECT_TRUE(config.voice_input);
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, HiddenShelf) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, HiddenShelf) {
  ExtensionTestMessageListener app_window_loaded_listener("appWindowLoaded",
                                                          false);
  StartAppLaunchFromLoginScreen(
@@ -941,7 +929,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, HiddenShelf) {
  EXPECT_FALSE(ash::ShelfTestApi().IsVisible());
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, ZoomSupport) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, ZoomSupport) {
  ExtensionTestMessageListener app_window_loaded_listener("appWindowLoaded",
                                                          false);
  StartAppLaunchFromLoginScreen(
@@ -1008,7 +996,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, ZoomSupport) {
  content::RunAllPendingInMessageLoop();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, NotSignedInWithGAIAAccount) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, NotSignedInWithGAIAAccount) {
  // Tests that the kiosk session is not considered to be logged in with a GAIA
  // account.
  StartAppLaunchFromLoginScreen(
@@ -1022,18 +1010,19 @@ IN_PROC_BROWSER_TEST_F(KioskTest, NotSignedInWithGAIAAccount) {
                   ->HasPrimaryAccount(signin::ConsentLevel::kNotRequired));
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, PRE_LaunchAppNetworkDown) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, PRE_LaunchAppNetworkDown) {
  // Tests the network down case for the initial app download and launch.
  RunAppLaunchNetworkDownTest();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppNetworkDown) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, LaunchAppNetworkDown) {
  // Tests the network down case for launching an existing app that is
  // installed in PRE_LaunchAppNetworkDown.
  RunAppLaunchNetworkDownTest();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppWithNetworkConfigAccelerator) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest,
+                       LaunchAppWithNetworkConfigAccelerator) {
  ScopedCanConfigureNetwork can_configure_network(true, false);

  // Block app loading until the welcome screen is shown.
@@ -1048,8 +1037,9 @@ IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppWithNetworkConfigAccelerator) {
  // A network error screen should be shown after authenticating.
  OobeScreenWaiter error_screen_waiter(ErrorScreenView::kScreenId);
  // Simulate Ctrl+Alt+N accelerator.
-  GetLoginUI()->CallJavascriptFunctionUnsafe(
-      "cr.ui.Oobe.handleAccelerator", base::Value("app_launch_network_config"));
+
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kAppLaunchNetworkConfig);
  error_screen_waiter.Wait();
  ASSERT_TRUE(GetKioskLaunchController()->showing_network_dialog());

@@ -1065,7 +1055,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppWithNetworkConfigAccelerator) {
  WaitForAppLaunchSuccess();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppNetworkDownConfigureNotAllowed) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest,
+                       LaunchAppNetworkDownConfigureNotAllowed) {
  // Mock network could not be configured.
  ScopedCanConfigureNetwork can_configure_network(false, true);

@@ -1084,7 +1075,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppNetworkDownConfigureNotAllowed) {
  WaitForAppLaunchSuccess();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppNetworkPortal) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, LaunchAppNetworkPortal) {
  // Mock network could be configured without the owner password.
  ScopedCanConfigureNetwork can_configure_network(true, false);

@@ -1108,7 +1099,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, LaunchAppNetworkPortal) {
 }

 // TODO(crbug.com/964333): Flaky seg faults
-IN_PROC_BROWSER_TEST_F(KioskTest, DISABLED_LaunchAppUserCancel) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, DISABLED_LaunchAppUserCancel) {
  StartAppLaunchFromLoginScreen(
      NetworkPortalDetector::CAPTIVE_PORTAL_STATUS_ONLINE);
  OobeScreenWaiter splash_waiter(AppLaunchSplashScreenView::kScreenId);
@@ -1121,8 +1112,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, DISABLED_LaunchAppUserCancel) {
  content::WindowedNotificationObserver signal(
      chrome::NOTIFICATION_APP_TERMINATING,
      content::NotificationService::AllSources());
-  GetLoginUI()->CallJavascriptFunctionUnsafe("cr.ui.Oobe.handleAccelerator",
-                                             base::Value("app_launch_bailout"));
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kAppLaunchBailout);
  signal.Wait();
  EXPECT_EQ(chromeos::KioskAppLaunchError::USER_CANCEL,
            chromeos::KioskAppLaunchError::Get());
@@ -1134,7 +1125,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, AutolaunchWarningCancel) {
  chromeos::WizardController::SkipPostLoginScreensForTesting();
  chromeos::WizardController* wizard_controller =
      chromeos::WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Start login screen after configuring auto launch app since the warning
  // is triggered when switching to login screen.
@@ -1146,8 +1137,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, AutolaunchWarningCancel) {

  // Wait for the auto launch warning come up.
  WaitForAuthLaunchWarning(/*visibility=*/true);
-  GetLoginUI()->CallJavascriptFunctionUnsafe(
-      "login.AutolaunchScreen.confirmAutoLaunchForTesting", base::Value(false));
+  test::ExecuteOobeJS(
+      "login.AutolaunchScreen.confirmAutoLaunchForTesting(false);");

  // Wait for the auto launch warning to go away.
  WaitForAuthLaunchWarning(/*visibility=*/false);
@@ -1161,7 +1152,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, AutolaunchWarningConfirm) {
  chromeos::WizardController::SkipPostLoginScreensForTesting();
  chromeos::WizardController* wizard_controller =
      chromeos::WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Start login screen after configuring auto launch app since the warning
  // is triggered when switching to login screen.
@@ -1174,8 +1165,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, AutolaunchWarningConfirm) {
  // Wait for the auto launch warning come up.
  WaitForAuthLaunchWarning(/*visibility=*/true);

-  GetLoginUI()->CallJavascriptFunctionUnsafe(
-      "login.AutolaunchScreen.confirmAutoLaunchForTesting", base::Value(true));
+  test::ExecuteOobeJS(
+      "login.AutolaunchScreen.confirmAutoLaunchForTesting(true);");

  // Wait for the auto launch warning to go away.
  WaitForAuthLaunchWarning(/*visibility=*/false);
@@ -1195,7 +1186,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableCancel) {
  chromeos::WizardController::SkipPostLoginScreensForTesting();
  chromeos::WizardController* wizard_controller =
      chromeos::WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Check Kiosk mode status.
  EXPECT_EQ(KioskAppManager::CONSUMER_KIOSK_AUTO_LAUNCH_CONFIGURABLE,
@@ -1204,8 +1195,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableCancel) {
  // Wait for the login UI to come up and switch to the kiosk_enable screen.
  wizard_controller->SkipToLoginForTesting();
  OobeScreenWaiter(GaiaView::kScreenId).Wait();
-  GetLoginUI()->CallJavascriptFunctionUnsafe("cr.ui.Oobe.handleAccelerator",
-                                             base::Value("kiosk_enable"));
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kEnableConsumerKiosk);

  // Wait for the kiosk_enable screen to show and cancel the screen.
  OobeScreenWaiter(KioskEnableScreenView::kScreenId).Wait();
@@ -1224,7 +1215,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableConfirmed) {
  chromeos::WizardController::SkipPostLoginScreensForTesting();
  chromeos::WizardController* wizard_controller =
      chromeos::WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Check Kiosk mode status.
  EXPECT_EQ(KioskAppManager::CONSUMER_KIOSK_AUTO_LAUNCH_CONFIGURABLE,
@@ -1233,7 +1224,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableConfirmed) {
  // Wait for the login UI to come up and switch to the kiosk_enable screen.
  wizard_controller->SkipToLoginForTesting();
  OobeScreenWaiter(GaiaView::kScreenId).Wait();
-  test::ExecuteOobeJS("cr.ui.Oobe.handleAccelerator('kiosk_enable');");
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kEnableConsumerKiosk);

  // Wait for the kiosk_enable screen to show and enable kiosk.
  OobeScreenWaiter(KioskEnableScreenView::kScreenId).Wait();
@@ -1253,7 +1245,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableAfter2ndSigninScreen) {
  chromeos::WizardController::SkipPostLoginScreensForTesting();
  chromeos::WizardController* wizard_controller =
      chromeos::WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Check Kiosk mode status.
  EXPECT_EQ(KioskAppManager::CONSUMER_KIOSK_AUTO_LAUNCH_CONFIGURABLE,
@@ -1262,8 +1254,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableAfter2ndSigninScreen) {
  // Wait for the login UI to come up and switch to the kiosk_enable screen.
  wizard_controller->SkipToLoginForTesting();
  OobeScreenWaiter(GaiaView::kScreenId).Wait();
-  GetLoginUI()->CallJavascriptFunctionUnsafe("cr.ui.Oobe.handleAccelerator",
-                                             base::Value("kiosk_enable"));
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kEnableConsumerKiosk);

  // Wait for the kiosk_enable screen to show and cancel the screen.
  OobeScreenWaiter(KioskEnableScreenView::kScreenId).Wait();
@@ -1279,8 +1271,9 @@ IN_PROC_BROWSER_TEST_F(KioskTest, KioskEnableAfter2ndSigninScreen) {
  OobeScreenWaiter(GaiaView::kScreenId).Wait();

  // Show kiosk enable screen again.
-  GetLoginUI()->CallJavascriptFunctionUnsafe("cr.ui.Oobe.handleAccelerator",
-                                             base::Value("kiosk_enable"));
+  LoginDisplayHost::default_host()->HandleAccelerator(
+      ash::LoginAcceleratorAction::kEnableConsumerKiosk);
+
  // And it should show up.
  OobeScreenWaiter(KioskEnableScreenView::kScreenId).Wait();
 }
@@ -1330,19 +1323,20 @@ IN_PROC_BROWSER_TEST_F(KioskTest, NoConsumerAutoLaunchWhenUntrusted) {
  ReloadAutolaunchKioskApps();
  wizard_controller->SkipToLoginForTesting();
  WaitForAuthLaunchWarning(/*visibility=*/true);
-  GetLoginUI()->CallJavascriptFunctionUnsafe(
-      "login.AutolaunchScreen.confirmAutoLaunchForTesting", base::Value(true));

  // Make cros settings untrusted.
  settings_helper_.SetTrustedStatus(
      CrosSettingsProvider::PERMANENTLY_UNTRUSTED);

+  test::ExecuteOobeJS(
+      "login.AutolaunchScreen.confirmAutoLaunchForTesting(true);");
+
  // Check that the attempt to auto-launch a kiosk app fails with an error.
  OobeScreenWaiter(ErrorScreenView::kScreenId).Wait();
 }

 // Verifies available volumes for kiosk apps in kiosk session.
-IN_PROC_BROWSER_TEST_F(KioskTest, GetVolumeList) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, GetVolumeList) {
  set_test_app_id(kTestGetVolumeListKioskApp);
  set_test_app_version("0.1");
  set_test_crx_file(test_app_id() + ".crx");
@@ -1353,7 +1347,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, GetVolumeList) {
  ASSERT_TRUE(catcher.GetNextResult()) << catcher.message();
 }

-IN_PROC_BROWSER_TEST_F(KioskTest, SettingsWindow) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest, SettingsWindow) {
  StartAppLaunchFromLoginScreen(
      NetworkPortalDetector::CAPTIVE_PORTAL_STATUS_ONLINE);
  WaitForAppLaunchWithOptions(true /* check_launch_data */,
@@ -1456,7 +1450,8 @@ IN_PROC_BROWSER_TEST_F(KioskTest, SettingsWindow) {

 // Verifies that an enterprise device does not auto-launch kiosk mode when cros
 // settings are untrusted.
-IN_PROC_BROWSER_TEST_F(KioskTest, NoEnterpriseAutoLaunchWhenUntrusted) {
+IN_PROC_BROWSER_TEST_F(KioskDeviceOwnedTest,
+                       NoEnterpriseAutoLaunchWhenUntrusted) {
  PrepareAppLaunch();
  SimulateNetworkOnline();

@@ -1475,6 +1470,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, NoEnterpriseAutoLaunchWhenUntrusted) {
  EXPECT_FALSE(login_display_host->GetKioskLaunchController());
 }

+// TODO(crbug.com/1149893): Migrate to KioskDeviceOwnedTest.
 IN_PROC_BROWSER_TEST_F(KioskTest, SpokenFeedback) {
  test::SpeechMonitor sm;
  AccessibilityManager::Get()->EnableSpokenFeedback(true);
@@ -1523,7 +1519,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, SpokenFeedback) {
 // data in-between session, as opposed to what they usually do in user sessions.
 // See http://crbug.com/1049566
 IN_PROC_BROWSER_TEST_F(
-    KioskTest,
+    KioskDeviceOwnedTest,
    PRE_AccessibilityExtensionsResetTheirStateUponSessionRestart) {
  test::SpeechMonitor speech_monitor;
  StartAppLaunchFromLoginScreen(
@@ -1594,7 +1590,7 @@ IN_PROC_BROWSER_TEST_F(
 }

 IN_PROC_BROWSER_TEST_F(
-    KioskTest,
+    KioskDeviceOwnedTest,
    AccessibilityExtensionsResetTheirStateUponSessionRestart) {
  test::SpeechMonitor speech_monitor;
  StartAppLaunchFromLoginScreen(
@@ -1777,7 +1773,6 @@ class KioskUpdateTest : public KioskTest {
    }

    // Launch the primary app.
-    StartUIForAppLaunch();
    SimulateNetworkOnline();
    EXPECT_TRUE(LaunchApp(test_app_id()));
    WaitForAppLaunchWithOptions(false, true);
@@ -1934,7 +1929,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, PRE_LaunchOfflineEnabledAppNoNetwork) {

 IN_PROC_BROWSER_TEST_F(KioskUpdateTest, LaunchOfflineEnabledAppNoNetwork) {
  set_test_app_id(kTestOfflineEnabledKioskApp);
-  StartUIForAppLaunch();
  SimulateNetworkOffline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -1955,7 +1949,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest,
  set_test_app_id(kTestOfflineEnabledKioskApp);
  EXPECT_TRUE(
      KioskAppManager::Get()->HasCachedCrx(kTestOfflineEnabledKioskApp));
-  StartUIForAppLaunch();
  SimulateNetworkOffline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -1983,7 +1976,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest,
  set_test_app_id(kTestOfflineEnabledKioskApp);
  EXPECT_TRUE(KioskAppManager::Get()->HasCachedCrx(test_app_id()));

-  StartUIForAppLaunch();
  SimulateNetworkOffline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2002,7 +1994,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, LaunchOfflineEnabledAppNoUpdate) {
  set_test_app_id(kTestOfflineEnabledKioskApp);
  fake_cws()->SetNoUpdate(test_app_id());

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2021,7 +2012,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, LaunchOfflineEnabledAppHasUpdate) {
  fake_cws()->SetUpdateCrx(test_app_id(),
                           "iiigpodgfihagabpagjehoocpakbnclp.crx", "2.0.0");

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2038,7 +2028,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, PRE_UsbStickUpdateAppNoNetwork) {
              /*wait_for_app_data=*/true);

  set_test_app_id(kTestOfflineEnabledKioskApp);
-  StartUIForAppLaunch();
  SimulateNetworkOffline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2066,7 +2055,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, PRE_UsbStickUpdateAppNoNetwork) {
 IN_PROC_BROWSER_TEST_F(KioskUpdateTest, UsbStickUpdateAppNoNetwork) {
  // Verify the kiosk app has been updated to v2.
  set_test_app_id(kTestOfflineEnabledKioskApp);
-  StartUIForAppLaunch();
  SimulateNetworkOffline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2193,7 +2181,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, PermissionChange) {
  set_test_app_version("2.0.0");
  set_test_crx_file(test_app_id() + "_v2_permission_change.crx");

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2257,7 +2244,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, PRE_IncompliantPlatformDelayInstall) {
  KioskAppManager::Get()->SetAppWasAutoLaunchedWithZeroDelay(
      kTestOfflineEnabledKioskApp);

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2279,7 +2265,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, IncompliantPlatformDelayInstall) {
  KioskAppManager::Get()->SetAppWasAutoLaunchedWithZeroDelay(
      kTestOfflineEnabledKioskApp);

-  StartUIForAppLaunch();
  SimulateNetworkOnline();

  EXPECT_TRUE(LaunchApp(test_app_id()));
@@ -2304,7 +2289,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, IncompliantPlatformFirstInstall) {
  KioskAppManager::Get()->SetAppWasAutoLaunchedWithZeroDelay(
      kTestOfflineEnabledKioskApp);

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchSuccess();
@@ -2335,7 +2319,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, UpdateMultiAppKioskRemoveOneApp) {
  fake_cws()->SetNoUpdate(kTestSecondaryApp1);
  fake_cws()->SetNoUpdate(kTestSecondaryApp2);

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchWithOptions(false, true);
@@ -2363,7 +2346,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, UpdateMultiAppKioskAddOneApp) {
                           std::string(kTestSecondaryApp3) + "-1.0.0.crx",
                           "1.0.0");

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchWithOptions(false, true);
@@ -2398,7 +2380,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest,
  fake_cws()->SetNoUpdate(kTestSecondaryApp1);
  fake_cws()->SetNoUpdate(kTestSharedModuleId);

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchWithOptions(false, true);
@@ -2431,7 +2412,6 @@ IN_PROC_BROWSER_TEST_F(KioskUpdateTest, LaunchAppWithUpdatedModule) {
                           std::string(kTestSharedModuleId) + "-2.0.0.crx",
                           "2.0.0");

-  StartUIForAppLaunch();
  SimulateNetworkOnline();
  EXPECT_TRUE(LaunchApp(test_app_id()));
  WaitForAppLaunchWithOptions(false, true);
@@ -2473,12 +2453,6 @@ class KioskEnterpriseTest : public KioskTest {
  KioskEnterpriseTest() { set_use_consumer_kiosk_mode(false); }

  // KioskTest:
-  void SetUpInProcessBrowserTestFixture() override {
-    settings_helper_.SetCurrentUserIsOwner(false);
-
-    KioskTest::SetUpInProcessBrowserTestFixture();
-  }
-
  void SetUpOnMainThread() override {
    KioskTest::SetUpOnMainThread();

@@ -2522,7 +2496,6 @@ class KioskEnterpriseTest : public KioskTest {
  void ConfigureKioskAppInPolicy(const std::string& account_id,
                                 const std::string& app_id,
                                 const std::string& update_url) {
-    settings_helper_.SetCurrentUserIsOwner(true);
    std::vector<policy::DeviceLocalAccount> accounts;
    accounts.push_back(
        policy::DeviceLocalAccount(policy::DeviceLocalAccount::TYPE_KIOSK_APP,
@@ -2532,7 +2505,6 @@ class KioskEnterpriseTest : public KioskTest {
                               account_id);
    settings_helper_.SetString(kServiceAccountIdentity,
                               kTestEnterpriseServiceAccountId);
-    settings_helper_.SetCurrentUserIsOwner(false);
  }

 private:
@@ -2687,7 +2659,7 @@ class KioskVirtualKeyboardTestSoundsManagerTestImpl

 // Specialized test fixture for testing kiosk mode where virtual keyboard is
 // enabled.
-class KioskVirtualKeyboardTest : public KioskTest,
+class KioskVirtualKeyboardTest : public KioskDeviceOwnedTest,
                                 public audio::FakeSystemInfo {
 public:
  KioskVirtualKeyboardTest() {
@@ -2794,14 +2766,11 @@ class KioskHiddenWebUITest : public KioskTest,
 };

 IN_PROC_BROWSER_TEST_F(KioskHiddenWebUITest, AutolaunchWarning) {
-  // Add a device owner.
-  mock_user_manager()->AddUser(test_owner_account_id_);
-
  // Set kiosk app to autolaunch.
  EnableConsumerKioskMode();
  WizardController::SkipPostLoginScreensForTesting();
  WizardController* wizard_controller = WizardController::default_controller();
-  CHECK(wizard_controller);
+  ASSERT_TRUE(wizard_controller);

  // Start login screen after configuring auto launch app since the warning
  // is triggered when switching to login screen.

--- a/chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.cc
+++ b/chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.cc
@@ -115,7 +115,6 @@ class ArcKioskAppServiceWrapper : public KioskAppLauncher {

 KioskLaunchController::KioskLaunchController(OobeUI* oobe_ui)
    : host_(LoginDisplayHost::default_host()),
-      oobe_ui_(oobe_ui),
      splash_screen_view_(oobe_ui->GetView<AppLaunchSplashScreenHandler>()) {}

 KioskLaunchController::KioskLaunchController() : host_(nullptr) {}
@@ -206,8 +205,9 @@ void KioskLaunchController::OnConfigureNetwork() {

  network_ui_state_ = NetworkUIState::SHOWING;
  if (CanConfigureNetwork() && NeedOwnerAuthToConfigureNetwork()) {
-    signin_screen_.reset(new AppLaunchSigninScreen(oobe_ui_, this));
-    signin_screen_->Show();
+    host_->VerifyOwnerForKiosk(
+        base::BindOnce(&KioskLaunchController::OnOwnerSigninSuccess,
+                       weak_ptr_factory_.GetWeakPtr()));
  } else {
    // If kiosk mode was configured through enterprise policy, we may
    // not have an owner user.
@@ -464,7 +464,6 @@ void KioskLaunchController::OnOldEncryptionDetected(

 void KioskLaunchController::OnOwnerSigninSuccess() {
  ShowNetworkConfigureUI();
-  signin_screen_.reset();
 }

 bool KioskLaunchController::CanConfigureNetwork() {

--- a/chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.h
+++ b/chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.h
@@ -8,7 +8,6 @@
 #include "chrome/browser/chromeos/app_mode/kiosk_app_launcher.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_app_types.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_profile_loader.h"
-#include "chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h"
 #include "chrome/browser/ui/webui/chromeos/login/app_launch_splash_screen_handler.h"

 namespace chromeos {
@@ -53,8 +52,7 @@ class OobeUI;
 // NetworkUI state.
 class KioskLaunchController : public KioskProfileLoader::Delegate,
                              public AppLaunchSplashScreenView::Delegate,
-                              public KioskAppLauncher::Delegate,
-                              public AppLaunchSigninScreen::Delegate {
+                              public KioskAppLauncher::Delegate {
 public:
  using ReturnBoolCallback = base::Callback<bool()>;

@@ -138,8 +136,7 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,
  void OnProfileLoadFailed(KioskAppLaunchError::Error error) override;
  void OnOldEncryptionDetected(const UserContext& user_context) override;

-  // AppLaunchSigninScreen::Delegate:
-  void OnOwnerSigninSuccess() override;
+  void OnOwnerSigninSuccess();

  // Whether the network could be configured during launching.
  bool CanConfigureNetwork();
@@ -166,7 +163,6 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,
  NetworkUIState network_ui_state_ = NetworkUIState::NOT_SHOWING;

  LoginDisplayHost* const host_;  // Not owned, destructed upon shutdown.
-  OobeUI* oobe_ui_ = nullptr;
  AppLaunchSplashScreenView* splash_screen_view_ = nullptr;  // Owned by OobeUI.
  KioskAppId kiosk_app_id_;                                  // Current app.
  Profile* profile_ = nullptr;                               // Not owned.
@@ -179,7 +175,6 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,

  // Used to login into kiosk user profile.
  std::unique_ptr<KioskProfileLoader> kiosk_profile_loader_;
-  std::unique_ptr<AppLaunchSigninScreen> signin_screen_;

  // A timer to ensure the app splash is shown for a minimum amount of time.
  base::OneShotTimer splash_wait_timer_;

--- a/chrome/browser/chromeos/login/ui/fake_login_display_host.cc
+++ b/chrome/browser/chromeos/login/ui/fake_login_display_host.cc
@@ -139,6 +139,8 @@ bool FakeLoginDisplayHost::HasUserPods() {
  return false;
 }

+void FakeLoginDisplayHost::VerifyOwnerForKiosk(base::OnceClosure) {}
+
 void FakeLoginDisplayHost::AddObserver(LoginDisplayHost::Observer* observer) {}

 void FakeLoginDisplayHost::RemoveObserver(

--- a/chrome/browser/chromeos/login/ui/fake_login_display_host.h
+++ b/chrome/browser/chromeos/login/ui/fake_login_display_host.h
@@ -66,6 +66,7 @@ class FakeLoginDisplayHost : public LoginDisplayHost {
  void UpdateAddUserButtonStatus() override;
  void RequestSystemInfoUpdate() override;
  bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure on_success) override;
  void AddObserver(LoginDisplayHost::Observer* observer) override;
  void RemoveObserver(LoginDisplayHost::Observer* observer) override;


--- a/chrome/browser/chromeos/login/ui/login_display_host.h
+++ b/chrome/browser/chromeos/login/ui/login_display_host.h
@@ -213,6 +213,8 @@ class LoginDisplayHost {
  // Returns if the device has any user after filtering based on policy.
  virtual bool HasUserPods() = 0;

+  virtual void VerifyOwnerForKiosk(base::OnceClosure on_success) = 0;
+
  // Used to add an observer for the changes in the web dilaog login view.
  virtual void AddObserver(Observer* observer) = 0;
  virtual void RemoveObserver(Observer* observer) = 0;

--- a/chrome/browser/chromeos/login/ui/login_display_host_mojo.cc
+++ b/chrome/browser/chromeos/login/ui/login_display_host_mojo.cc
@@ -43,6 +43,7 @@
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "components/user_manager/user_names.h"
+#include "content/public/browser/browser_task_traits.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "ui/aura/window.h"
 #include "ui/views/view.h"
@@ -356,6 +357,20 @@ bool LoginDisplayHostMojo::HasUserPods() {
  return user_count_ > 0;
 }

+void LoginDisplayHostMojo::VerifyOwnerForKiosk(base::OnceClosure on_success) {
+  // This UI is specific fo the consumer kiosk. We hide all the pods except for
+  // the owner. User can't go back to the normal user screen from this. App
+  // launch cancellation results in the Chrome restart (see
+  // KioskLaunchController::OnCancelAppLaunch).
+  CHECK(GetKioskLaunchController());
+  DCHECK(!owner_verified_callback_);
+  owner_verified_callback_ = std::move(on_success);
+  owner_account_id_ = user_manager::UserManager::Get()->GetOwnerAccountId();
+  CHECK(owner_account_id_.is_valid());
+  login_display_->ShowOwnerPod(owner_account_id_);
+  HideOobeDialog();
+}
+
 void LoginDisplayHostMojo::AddObserver(LoginDisplayHost::Observer* observer) {
  observers_.AddObserver(observer);
 }
@@ -403,6 +418,11 @@ void LoginDisplayHostMojo::HandleAuthenticateUserWithPasswordOrPin(
    user_context.SetIsUsingOAuth(false);
  }

+  if (owner_verified_callback_) {
+    CheckOwnerCredentials(user_context);
+    return;
+  }
+
  existing_user_controller_->Login(user_context, chromeos::SigninSpecifics());
 }

@@ -616,4 +636,25 @@ void LoginDisplayHostMojo::CreateExistingUserController() {
  existing_user_controller_->AddLoginStatusConsumer(this);
 }

+void LoginDisplayHostMojo::CheckOwnerCredentials(
+    const UserContext& user_context) {
+  CHECK_EQ(owner_account_id_, user_context.GetAccountId());
+  if (!extended_authenticator_)
+    extended_authenticator_ = ExtendedAuthenticator::Create(this);
+
+  content::GetUIThreadTaskRunner({})->PostTask(
+      FROM_HERE,
+      base::BindOnce(&ExtendedAuthenticator::AuthenticateToCheck,
+                     extended_authenticator_.get(), user_context,
+                     base::BindOnce(&LoginDisplayHostMojo::OnOwnerSigninSuccess,
+                                    base::Unretained(this))));
+}
+
+void LoginDisplayHostMojo::OnOwnerSigninSuccess() {
+  DCHECK(owner_verified_callback_);
+  std::move(owner_verified_callback_).Run();
+  extended_authenticator_.reset();
+  ShowFullScreen();
+}
+
 }  // namespace chromeos
--- a/chrome/browser/chromeos/login/ui/login_display_host_mojo.h
+++ b/chrome/browser/chromeos/login/ui/login_display_host_mojo.h
@@ -94,6 +94,7 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
  void UpdateAddUserButtonStatus() override;
  void RequestSystemInfoUpdate() override;
  bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure on_success) override;
  void AddObserver(LoginDisplayHost::Observer* observer) override;
  void RemoveObserver(LoginDisplayHost::Observer* observer) override;

@@ -163,6 +164,10 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
  // consume auth status events.
  void CreateExistingUserController();

+  // Consumer kiosk owner authentication functions.
+  void CheckOwnerCredentials(const UserContext& user_context);
+  void OnOwnerSigninSuccess();
+
  // State associated with a pending authentication attempt.
  struct AuthState {
    AuthState(AccountId account_id, base::OnceCallback<void(bool)> callback);
@@ -214,6 +219,11 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
  // Store which screen is currently displayed.
  DisplayedScreen displayed_screen_ = DisplayedScreen::SIGN_IN_SCREEN;

+  // Consumer kiosk owner fields.
+  AccountId owner_account_id_;
+  base::OnceClosure owner_verified_callback_;
+  scoped_refptr<ExtendedAuthenticator> extended_authenticator_;
+
  ScopedObserver<views::View, views::ViewObserver> scoped_observer_{this};

  base::ObserverList<LoginDisplayHost::Observer> observers_;

--- a/chrome/browser/chromeos/login/ui/login_display_host_webui.cc
+++ b/chrome/browser/chromeos/login/ui/login_display_host_webui.cc
@@ -1031,6 +1031,10 @@ bool LoginDisplayHostWebUI::HasUserPods() {
  return false;
 }

+void LoginDisplayHostWebUI::VerifyOwnerForKiosk(base::OnceClosure) {
+  NOTREACHED();
+}
+
 void LoginDisplayHostWebUI::AddObserver(LoginDisplayHost::Observer* observer) {
  observers_.AddObserver(observer);
 }

--- a/chrome/browser/chromeos/login/ui/login_display_host_webui.h
+++ b/chrome/browser/chromeos/login/ui/login_display_host_webui.h
@@ -89,6 +89,7 @@ class LoginDisplayHostWebUI : public LoginDisplayHostCommon,
  void RequestSystemInfoUpdate() override;
  void OnCancelPasswordChangedFlow() override;
  bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure) override;
  void AddObserver(LoginDisplayHost::Observer* observer) override;
  void RemoveObserver(LoginDisplayHost::Observer* observer) override;


--- a/chrome/browser/chromeos/login/ui/login_display_mojo.cc
+++ b/chrome/browser/chromeos/login/ui/login_display_mojo.cc
@@ -280,6 +280,35 @@ void LoginDisplayMojo::OnUserImageChanged(const user_manager::User& user) {
      UserSelectionScreen::BuildAshUserAvatarForUser(user));
 }

+void LoginDisplayMojo::ShowOwnerPod(const AccountId& owner) {
+  const user_manager::User* device_owner =
+      user_manager::UserManager::Get()->FindUser(owner);
+  CHECK(device_owner);
+
+  std::vector<ash::LoginUserInfo> user_info_list;
+  ash::LoginUserInfo user_info;
+  user_info.basic_user_info.type = device_owner->GetType();
+  user_info.basic_user_info.account_id = device_owner->GetAccountId();
+  user_info.basic_user_info.display_name =
+      base::UTF16ToUTF8(device_owner->GetDisplayName());
+  user_info.basic_user_info.display_email = device_owner->display_email();
+  user_info.basic_user_info.avatar =
+      UserSelectionScreen::BuildAshUserAvatarForUser(*device_owner);
+  user_info.auth_type = proximity_auth::mojom::AuthType::OFFLINE_PASSWORD;
+  user_info.is_signed_in = device_owner->is_logged_in();
+  user_info.is_device_owner = true;
+  user_info.can_remove = false;
+  user_info_list.push_back(user_info);
+
+  ash::LoginScreen::Get()->GetModel()->SetUserList(user_info_list);
+  ash::LoginScreen::Get()->SetAllowLoginAsGuest(false);
+  ash::LoginScreen::Get()->EnableAddUserButton(false);
+
+  // Disable PIN.
+  ash::LoginScreen::Get()->GetModel()->SetPinEnabledForUser(owner,
+                                                            /*enabled=*/false);
+}
+
 void LoginDisplayMojo::OnPinCanAuthenticate(const AccountId& account_id,
                                            bool can_authenticate) {
  ash::LoginScreen::Get()->GetModel()->SetPinEnabledForUser(account_id,

--- a/chrome/browser/chromeos/login/ui/login_display_mojo.h
+++ b/chrome/browser/chromeos/login/ui/login_display_mojo.h
@@ -67,6 +67,8 @@ class LoginDisplayMojo : public LoginDisplay,
  // user_manager::UserManager::Observer:
  void OnUserImageChanged(const user_manager::User& user) override;

+  void ShowOwnerPod(const AccountId& owner);
+
 private:
  void OnPinCanAuthenticate(const AccountId& account_id, bool can_authenticate);


--- a/chrome/browser/chromeos/login/ui/mock_login_display_host.h
+++ b/chrome/browser/chromeos/login/ui/mock_login_display_host.h
@@ -89,6 +89,7 @@ class MockLoginDisplayHost : public LoginDisplayHost {
  MOCK_METHOD(void, UpdateAddUserButtonStatus, (), (override));
  MOCK_METHOD(void, RequestSystemInfoUpdate, (), (override));
  MOCK_METHOD(bool, HasUserPods, (), (override));
+  MOCK_METHOD(void, VerifyOwnerForKiosk, (base::OnceClosure), (override));
  MOCK_METHOD(void, AddObserver, (LoginDisplayHost::Observer*), (override));
  MOCK_METHOD(void, RemoveObserver, (LoginDisplayHost::Observer*), (override));