Proposal: Delete the identity service

[James Cook]

//services/identity is ~1000 lines of C++ and mojom. It is compiled and tested on all platforms. It runs in the browser process on the UI thread.

However, it has only 2 consumers, //chromeos/services/assistant and //chromeos/components/drivefs. They use the identity service for access token fetching. These consumers are Chrome OS only, and run in the browser process on the UI thread. Per Xiaohui, there aren't any plans to move this part of the assistant code outside the browser process.

I propose to convert these consumers to directly access the C++ IdentityManager and use PrimaryAccountAccessTokenFetcher. Then we can delete the identity service.

This would make it easier to change the underlying IdentityManager APIs (e.g. for go/consent-aware-api-dd or go/cros-primary-account). In particular, we would not have to write cross-platform support and tests for Chrome OS-only behaviors. See also discussion on this refactoring CL.

Questions:

1. Does the DriveFS team plan to move their code outside the browser process?

2. Are there other services being built right now that need the Identity Service that can't use C++ IdentityManager directly?

3. Could someone on the DriveFS team help out by converting that code? The conversion is straightforward, but I'm not sure how to manually test.

Thanks,

James

[Stuart Langley]

+da...@chromium.org

[Giovanni Ortuño]

A System Web App recently started looking into using the Identity Service.

+Edwin Tay, we should try to finalize the details about what's needed from Identity Service and how much work would it be to build an alternative on top of IdentityManager.

--
You received this message because you are subscribed to the Google Groups "services-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to services-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CALFY5ZynEMXhZZZcH9oezuPtQtkr4usAU%2Bj-31r6fhMKV6kNYg%40mail.gmail.com.

[Sergei Datsenko]

DriveFS does not have plans to move outside of the browser process so as long as we can still mint access tokens we are good with that. I assume proposed PrimaryAccountAccessTokenFetcher is a comparable substitute for the API you want to remove, right?

Cheers,

[James Cook]

If the DriveFS code is changed to inject an IdentityManager* it can use the existing signin::AccessTokenFetcher class. Just inline code similar to IdentityAccessorImpl::GetAccessToken (this is where the identity service calls into IdentityManager).

[James Cook]

Actually, it looks like DriveFS waits for the primary account to be available, then requests the token. So perhaps it could use the existing signin::PrimaryAccountAccessTokenFetcher in mode kWaitUntilAvailable.

[Colin Blundell]

Thanks for starting this thread, James!

If there are use cases for accessing identity from outside the browser process (cf. Giovanni's email), then we should keep the Identity Service rather than delete it and just need to build something that serves the same purpose.

+Erik Chen +Hidehiko Abe who recently had a potential usecase for the Identity Service as well.

If there are no upcoming usecases for the Identity Service and the existing ones can be migrated to IdentityManager (+1 to usage of PAATF whenever possible by the way, as it's extremely convenient), then +1 to removing it. Regardless of whether there are new usecases, the current ones should be migrated if that is possible.

Best,

Colin

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAKLzqjEyqNWP1dRhsT2vnXzEm5q8J8HeLQDbPnMc97AnF4Q1FA%40mail.gmail.com.

[James Cook]

Teams with potential use cases for the identity service: Can you clarify your timelines and what platforms you intend to support?

The difficulty I hit recently is that I needed to change the C++ IdentityManager to support a Chrome OS use case, so I had to add support for that use case to Identity Service, which then required cross-platform support and tests.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAMGE5NFus8TQMtGSkLF82oofyzE3W1AUn-33y7mbsFFuxSh82w%40mail.gmail.com.

[Hidehiko Abe]

As for timeline: LaCrOS is still in the experiment stage, and we're hoping to have the engineering cost estimation by EoQ.
So, I don't think it is necessary that this effort is blocked by LaCrOS and we do not want to, so please feel free to make a decision without considering us.

From technical perspectives, we're still trying to get a better understanding about the identity service, so we're not yet very sure the current architecture works better for LaCrOS.

JFYI: I will have a sync meeting with the browser Signin team this week, and I believe it will help me to understand better.

Thanks,

- hidehiko

[Giovanni Ortuño]

On Sat, Feb 1, 2020 at 3:19 AM James Cook <jame...@chromium.org> wrote:

Teams with potential use cases for the identity service: Can you clarify your timelines and what platforms you intend to support?

Our System Web App is Chrome OS only.

[Kushagra Sinha]

James/Colin: How is this going to play out with Dent v2?

IdentityManager is a ProfileKeyed Service. If DriveFS / Assistant / "System-level" apps want access to Identity, which IdentityManager are they going to contact (assuming multiple Profiles, and hence multiple IdentityManagers)?

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CALFY5ZynEMXhZZZcH9oezuPtQtkr4usAU%2Bj-31r6fhMKV6kNYg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "services-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAKLzqjEyqNWP1dRhsT2vnXzEm5q8J8HeLQDbPnMc97AnF4Q1FA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "services-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev+unsubscribe@chromium.org.

[Colin Blundell]

Hi Kushagra,

Which Google account should these apps be using in a Dent v2 world? 

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CALFY5ZynEMXhZZZcH9oezuPtQtkr4usAU%2Bj-31r6fhMKV6kNYg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "services-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAKLzqjEyqNWP1dRhsT2vnXzEm5q8J8HeLQDbPnMc97AnF4Q1FA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "services-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to services-dev...@chromium.org.

[Kushagra Sinha]

"Which Google *account*" - Judging from the comments/reviews from the Dent v1 launch, many users are intuitively expecting Chrome OS system apps like Files/Drive to show their Drive folders from all of their accounts added to the system level Account Manager, and not just the Primary/Device Account. I talked to a couple of Files app folks and they would like this too.

Considering this, IMHO the question should be "Which Google *accounts* ..." - and I think these apps should see the view of all Google accounts added to Chrome OS Account Manager.

(Note that Chrome "browser" Profiles will be free to choose a subset (including the null set) of accounts from Chrome OS Account Manager, irrespective of other Profiles or system apps).

WDYT?

Kushagra Sinha

Software Engineer

sin...@google.com
+49 89 839309073

Google Germany GmbH

Erika-Mann-Straße 33

80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. 

     

This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.

[Mihai Sardarescu]

Hi Kushagra,

Then I think we need to change the code and have these services going directly to the ChromeOS AccountManager instead of using the IdentityManager, right? In any case, it would make sense to remove the IdentityService code if these services are running inside the browser process.

Thank you,

- Mihai

You received this message because you are subscribed to the Google Groups "identity-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to identity-service...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/identity-service-dev/CAOetdWCaS3wHMJJFG6pkE%3DgqSGYzNK1pdTvHmdKDzC_TDeUBaw%40mail.gmail.com.

[Colin Blundell]

+1 to Mihai's response.

[James Cook]

Update: I migrated Assistant (CL) and DriveFS (CL) to the C++ IdentityManager. The mojo identity service is now unused, except by its own tests.

I'm planning to delete the identity service code soon. I'll leave the //services/identity directory in place, with a README file, just in case we later decide to recover the code from git history.

Thanks everybody for the advice and code reviews.

[K. Moon]

Is there a reason to even leave a README behind?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAKLzqjGAboL0i2DtKYApXGqgrJSE%2B6j09tjfQBEHFVKPauXiCQ%40mail.gmail.com.

[Colin Blundell]

+1 to just deleting //services/identity. Thank you for this code simplification, James!

[James Cook]

OK, I'll just delete the directory. Thanks!

[Mihai Sardarescu]

+Edwin Tay FYI.

[K. Moon]

+1; thanks for the cleanup!

[James Cook]

To close the loop: The identity service is gone as of crrev.com/c/2079795

[Colin Blundell]

Thank you, James!