New issue
Advanced search Search tips

Issue 735898 link

Starred by 1 user
Status: Fixed
Owner:
droger@chromium.org
Closed: Sep 2017
Cc:
msarda@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 716053



Sign in to add a comment

[Dice] Revoke existing tokens when receiving a new one

Project Member Reported by droger@chromium.org, Jun 22 2017 
In the Dice signin flow, we can have a case where we receive a refresh token for an account that already has a refresh token.
We should revoke the old request token in this case.

One option to consider would be to have the token service UpdateCrdentials() revoking the existing credentials before setting the new ones.
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cf46e15f80f2eaf15cd58715c8983406d2d5106c

commit cf46e15f80f2eaf15cd58715c8983406d2d5106c
Author: David Roger <droger@chromium.org>
Date: Wed Jul 12 16:18:45 2017

[signin] UpdateCredentials() revokes the existing token

When a refresh token was replaced by a new one, it was not revoked, and
essentially leaking.

OnRefreshTokenRevoked() is not called because it is used to signal that
the associated account no longer has a valid token. This is not the case
here, since the token is immediately replaced by a new one.

Bug:  735898 
Change-Id: If0f9777543d574a00084d7dd6b67209aeacf150c
Reviewed-on: https://chromium-review.googlesource.com/568303
Reviewed-by: Mihai Sardarescu <msarda@chromium.org>
Commit-Queue: David Roger <droger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485986}
[modify] https://crrev.com/cf46e15f80f2eaf15cd58715c8983406d2d5106c/chrome/browser/signin/dice_browsertest.cc
[modify] https://crrev.com/cf46e15f80f2eaf15cd58715c8983406d2d5106c/chrome/browser/signin/mutable_profile_oauth2_token_service_delegate.cc
[modify] https://crrev.com/cf46e15f80f2eaf15cd58715c8983406d2d5106c/chrome/browser/signin/mutable_profile_oauth2_token_service_delegate.h
[modify] https://crrev.com/cf46e15f80f2eaf15cd58715c8983406d2d5106c/chrome/browser/signin/mutable_profile_oauth2_token_service_delegate_unittest.cc

Comment 2 by fhorschig@chromium.org, Jul 13 2017 

Is this related to failures to  issue 742090 ?

Comment 3 by droger@chromium.org, Jul 13 2017 

#2: no the test was already flaky before. I'm disabling the test on windows, sorry for the incovenience.
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 14 2017

Status: Available (was: Assigned)
--Chrome Identity automated triaging--

This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by msarda@chromium.org, Sep 28 2017 

David, is this bug fixed now?

Comment 6 by droger@chromium.org, Sep 29 2017

Status: Fixed (was: Available)
Indeed.

Sign in to add a comment