Currently, ProfileSyncService exposes at least 3 different auth errors, with different (but overlapping) semantics:

1. GetAuthError()
2. GetSyncTokenStatus().last_get_token_error
3. GetSyncTokenStatus().connection_status

Semantics:
(1) is supposedly the "main" auth error state, but its meaning is fuzzy at best, see below.
(2) is well-defined: It's the result of the last access token fetch.
(3) is not an auth error as such, but one of the possible connection statuses is CONNECTION_AUTH_ERROR. Ironically, that status does *not* result in an auth error per (1), while CONNECTION_SERVER_ERROR *does*. The reason is probably that an auth error here is considered temporary (most likely an expired token), so Sync tries to silently resolve it.

(1) gets set and cleared in various situations:
It gets set when the refresh token is removed or invalidated, when an access token fetch fails (sometimes), or when the connection status becomes CONNECTION_SERVER_ERROR.
It gets cleared when an access token fetch succeeds or the connection status becomes CONNECTION_OK.
Clearing does not check where the error originally came from, e.g. it's possible that it was set because of CONNECTION_SERVER_ERROR, but then an access token fetch happens to succeed so we clear it again.

As a result of all this, the overall exposed state (e.g. in sync-internals) is quite confusing. It's also likely that there are subtle bugs, as in the example above.