Since the go-onlineaccounts bug task was added, I guess we are also tracking the problems with scopes here too.
In my investigations last week, I came to the conclusion that the problems were not limited to the Go scopes, but instead affected all scopes running under confinement.
After digging in a bit, it isn't clear how it can be fixed without changes to the online accounts API. The way the online accounts integration for scopes works is:
1. the scope starts a signin session for the account service with the "no interaction" flag set. If no token can be retrieved (either because no account is available, or because the token isn't available), it will push a result with a special login button.
2. When the special result is clicked by the user, the dash will initiate the account creation process with the OnlineAccountsClient::Setup class.
3. If the account is successfully created, the dash refreshes the scope's results. The scope starts another signin session and finds the new token and displays personalised results.
From my understanding, this breaks down because it is the dash's AppArmor label (which I guess would be unconfined) that gets added to the ACL for the account service. What would be needed here would be some kind of API the dash could use to ask for a second AppArmor label to be added to the ACL.
Since the go-onlineaccounts bug task was added, I guess we are also tracking the problems with scopes here too.
In my investigations last week, I came to the conclusion that the problems were not limited to the Go scopes, but instead affected all scopes running under confinement.
After digging in a bit, it isn't clear how it can be fixed without changes to the online accounts API. The way the online accounts integration for scopes works is:
1. the scope starts a signin session for the account service with the "no interaction" flag set. If no token can be retrieved (either because no account is available, or because the token isn't available), it will push a result with a special login button.
2. When the special result is clicked by the user, the dash will initiate the account creation process with the OnlineAccountsC lient:: Setup class.
3. If the account is successfully created, the dash refreshes the scope's results. The scope starts another signin session and finds the new token and displays personalised results.
From my understanding, this breaks down because it is the dash's AppArmor label (which I guess would be unconfined) that gets added to the ACL for the account service. What would be needed here would be some kind of API the dash could use to ask for a second AppArmor label to be added to the ACL.