// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// The Mojo interfaces and enums contained in this file use a file-global
// versioning scheme, as opposed to individual interface / enum level
// versioning. Bump this value before making a change to any of the following
// interfaces / enums.
//
// Next MinVersion: 15
module crosapi.mojom;
import "mojo/public/mojom/base/time.mojom";
// Types of accounts which can be stored in Account Manager.
// This must be kept in sync with
// //components/account_manager_core/chromeos/tokens.proto.
//
// The enums values should match the aforementioned proto too.
[Stable, Extensible]
enum AccountType {
[Default] kUnspecified = 0,
kGaia = 1,
kActiveDirectory = 2,
};
// Uniquely identifies an account in Account Manager.
//
// Next id: 2
[Stable]
struct AccountKey {
// `id` is obfuscated Gaia id for Gaia accounts.
// `id` is the object GUID for Microsoft Active Directory accounts.
string id@0;
// Type of the account - such as Gaia, or Microsoft Active Directory.
AccountType account_type@1;
};
// Information about an account in Account Manager.
//
// Next id: 2
[Stable]
struct Account {
// A unique identifier for this account.
AccountKey key@0;
// The raw, un-canonicalized email id ([email protected], as opposed to
// [email protected]) for this account.
string raw_email@1;
};
// See google_apis/gaia/google_service_auth_error.h
//
// IMPORTANT: Do NOT send these values from Lacros to Ash without thinking about
// version skew. Specifically, newer Lacros versions may send values which are
// unknown to Ash. See the implementation of
// `account_manager::FromMojoGoogleServiceAuthError`.
// Note while fixing this - this enum needs to be trivially compatible with
// google_apis/gaia/google_service_auth_error.h - which does not have an
// "unknown" value.
//
// Next id: 5
[Stable]
struct GoogleServiceAuthError {
// Next value: 16
[Stable, Extensible]
enum State {
kNone = 0,
kInvalidGaiaCredentials = 1,
kUserNotSignedUp = 2,
kConnectionFailed = 3,
// DEPRECATED kCaptchaRequired = 4,
// DEPRECATED kAccountDeleted = 5,
// DEPRECATED kAccountDisabled = 6,
kServiceUnavailable = 7,
// DEPRECATED kTwoFactor = 8,
kRequestCanceled = 9,
// DEPRECATED kHostedNotAllowedDeprecated = 10,
kUnexpectedServiceResponse = 11,
kServiceError = 12,
// DEPRECATED kWebLoginRequired = 13,
[MinVersion=10] kScopeLimitedUnrecoverableError = 14,
[MinVersion=14] kChallengeResponseRequired = 15,
};
// Next value: 4
[Stable, Extensible]
enum InvalidGaiaCredentialsReason {
[Default] kUnknown = 0,
kCredentialsRejectedByServer = 1,
kCredentialsRejectedByClient = 2,
kCredentialsMissing = 3,
};
State state@0;
// Network error is set only if `state` is set to `kConnectionFailed`.
// In case of no network error, `network_error` is set to 0.
int64 network_error@1;
string error_message@2;
InvalidGaiaCredentialsReason invalid_gaia_credentials_reason@3;
// Challenge is set only if `state` is set to `kChallengeResponseRequired`.
[MinVersion=14] string? token_binding_challenge@4;
};
// See components/account_manager_core/account_addition_options.h
//
// Next id: 2
[Stable]
struct AccountAdditionOptions {
bool is_available_in_arc@0;
bool show_arc_availability_picker@1;
};
// Next id: 3
[Stable, RenamedFrom="crosapi.mojom.AccountAdditionResult"]
struct AccountUpsertionResult {
// The result of account addition or reauthentication request, sent from Ash
// to Lacros.
// Note: The default value of this enum is `kUnexpectedResponse = 4`, not
// `kSuccess = 0`. This was changed in MinVersion 11.
//
// Next value: 6
[Stable, Extensible]
enum Status {
kSuccess = 0,
kAlreadyInProgress = 1,
kCancelledByUser = 2,
kNetworkError = 3,
[Default] kUnexpectedResponse = 4,
[MinVersion = 9] kBlockedByPolicy = 5,
};
Status status@0;
// The account that was added or updated.
Account? account@1;
// The error is set only if `status` is set to `kNetworkError`.
GoogleServiceAuthError? error@2;
};
// Next id: 3
[Stable]
struct AccessTokenInfo {
// OAuth2 access token.
string access_token@0;
// Expiration time of `access_token`. This value has a built-in safety margin
// so it can be used as-is.
mojo_base.mojom.Time expiration_time@1;
// Contains extra information regarding the user's currently registered
// services.
string id_token@2;
};
[Stable]
union AccessTokenResult {
AccessTokenInfo access_token_info;
GoogleServiceAuthError error;
};
// Interface for observers of Chrome OS Account Manager.
// This interface is implemented by lacros-chrome, and is used by ash-chrome to
// send account update notifications.
//
// Next id: 4
[Stable, Uuid="f75c4963-497b-411f-97ab-c53c7f6b46ed"]
interface AccountManagerObserver {
// Called when the token for `account` is updated/inserted.
// Note: Observers which register with `AccountManager` before its
// initialization is complete will get notified when `AccountManager` is fully
// initialized.
// Note: Observers which register with `AccountManager` after its
// initialization is complete will not get an immediate
// notification-on-registration.
OnTokenUpserted@0(Account account);
// Called when an account has been removed from Account Manager.
// Note: Observers that may have cached access tokens for `account` must clear
// their cache entry for this `account` on receiving this callback.
OnAccountRemoved@1(Account account);
// Called when an `account`'s `error` status changes. See `ReportAuthError` in
// `AccountManager` interface for details.
// Note: Observers that may have cached access tokens for `account` must clear
// their cache entries for this `account` on receiving this callback. They may
// short-circuit future access token requests with an immediate `error` for a
// given `account` as appropriate (e.g. if the error is a non-transient
// error).
// Note: Observers must reset their cached error states (if any) for
// `account` - if the `state` of `error` is `kNone`.
[MinVersion = 1]
OnAuthErrorChanged@2(AccountKey account, GoogleServiceAuthError error);
// Called when Ash's signin dialog is closed, regardless of the reason, e.g.:
// - For account additions as well as re-authentication.
// - For successful completion of the flow, as well as cancellation by the
// user. etc.
[MinVersion = 12]
OnSigninDialogClosed@3();
};
// Interface for Chrome OS Account Manager.
// Chrome OS Account Manager is the source of truth for accounts on Chrome OS -
// including ARC, and Chrome content area. It supports Google accounts and
// Microsoft Active Directory accounts, as of this writing.
// This interface is implemented by ash-chrome, and is used by lacros-chrome to
// query accounts residing in the Chrome OS Account Manager.
// ARC++ uses components/arc/mojom/auth.mojom to talk to the Chrome OS Account
// Manager.
//
// Next id: 9
[Stable, Uuid="85b9a674-9d8e-497f-98d5-22c8dca6f2b8"]
interface AccountManager {
// Returns `true` if Chrome OS Account Manager has been fully initialized, and
// `false` otherwise.
IsInitialized@0() => (bool is_initialized);
// Creates and returns a new receiver for `AccountManagerObserver`.
// This API is supposed to be called by lacros-chrome, fairly early during its
// initialization, to receive updates related to accounts stored in Account
// Manager.
// The connection, and the corresponding remote, is destroyed when `receiver`
// is destroyed. This will happen automatically when lacros is shut down.
[MinVersion = 1]
AddObserver@1() => (pending_receiver<AccountManagerObserver> receiver);
// Returns the list of accounts in AccountManager. Can be invoked before the
// initialization is completed (in this case the callback will be invoked
// after the initialization is done).
[MinVersion = 2]
GetAccounts@2() => (array<Account> accounts);
// Launches account addition dialog and returns `result` with the added
// account.
[MinVersion = 3]
ShowAddAccountDialog@3(
[MinVersion=8] AccountAdditionOptions? add_account_options) =>
(AccountUpsertionResult result);
// Launches account reauthentication dialog for provided `email` and returns
// `result` with the reauthenticated/added account.
[MinVersion = 3]
ShowReauthAccountDialog@4(string email) =>
([MinVersion=13]AccountUpsertionResult? result);
// Launches OS Settings > Accounts.
[MinVersion = 4]
ShowManageAccountsSettings@5();
// Returns a persistent error state for `account`. If `account` doesn't have
// a persistent error or AccountManager doesn't have such an account -
// `GoogleServiceAuthError` with `kNone` state will be returned.
[MinVersion = 5]
GetPersistentErrorForAccount@6(AccountKey account) =>
(GoogleServiceAuthError error);
// Returns a remote to an interface to fetch an access token for
// `account_key`, to be used by `oauth_consumer_name` OAuth2 client.
// `account_key` must be a Gaia account. If `account_key` is invalid or not
// known to Chrome OS Account Manager, fetching an access token via
// `AccessTokenFetcher` will result in an error (`kUserNotSignedUp`). If the
// account's refresh token is no longer valid, it will result in
// `kInvalidGaiaCredentials` error. See `GoogleServiceAuthError` for all error
// types.
[MinVersion = 6]
CreateAccessTokenFetcher@7(AccountKey account_key,
string oauth_consumer_name) =>
(pending_remote<AccessTokenFetcher> access_token_fetcher);
// Reports an `error` for `account`.
// The implementation uses a pubsub model to propagate errors for accounts.
// Any application can report (Publish) account errors. These errors will be
// fanned out to `AccountManagerObserver`s (Subscribers).
// A typical use-case is sharing of account error information between Ash and
// Lacros. Since these errors are OAuth errors, they can be discovered by any
// application (or the OS) - and must be communicated to other applications
// (or the OS).
// `account` must be a valid account known to Account Manager.
// Setting the error `state` as `kNone` resets the error state for `account`.
// Note: Transient errors (`GoogleServiceAuthError::IsTransientError()`)
// reported through this API will be silently ignored.
[MinVersion = 9]
ReportAuthError@8(AccountKey account, GoogleServiceAuthError error);
};
// Interface for fetching OAuth2 access tokens.
//
// Next id: 1
[Stable, Uuid="71476f25-fb77-414f-848e-3e5368a9ee35"]
interface AccessTokenFetcher {
// Starts the request for fetching an access token with the provided `scopes`.
// If `scopes` is empty, `access_token` will have the same scope as the
// underlying refresh token - login scope.
// Don't call this method multiple times - create a new `AccessTokenFetcher`
// instead.
Start@0(array<string> scopes) => (AccessTokenResult result);
};
Codebase Browser
chromium