Introduction

Online accounts has several components that application developers may use:

• account-application and account-service: describe the services the application will use (should be specified together)
• account-provider and account-qml-plugin: describe the providers and services to extend Online Accounts (should be specified together)

Implementation for 15.04 OTA-4 and prior

At a high-level, this is essentially the same process as for ApplicationConfinement, with the following differences:

• the click manifest should specify the correct framework for the release it is targeting (eg, ubuntu-sdk-15.04)

• the click manifest should specify apparmor with account-application and account-service

• if both account-application and account-service are specified, the click manifest should express them together

• when using account-application and account-service, the accounts policy group should be used with the default template (eg, ubuntu-sdk)

Eg:

• click manifest:

  {
      "name": "foo"
      "version": "0.1",
      "hooks": {
          "bar": {
              "account-application": "bar.application",
              "account-service": "bar.service",
              "apparmor": "bar.apparmor",
              "desktop": "bar.desktop"
          }
      }
      ...

• security manifest (bar.apparmor):

  {
      "policy_groups": [
          "accounts",
          "networking"
      ],
      "policy_version": 1.3
  }

Prior to Ubuntu Touch 15.04 OTA-5, specifying account-provider and account-qml-plugin would not work with apparmor and therefore it would run unconfined and trigger a manual review in the store.

Implementation for 15.04 OTA-5 and higher

With 15.04 OTA-5, online accounts added support for confinement of online account providers. This is the same as with the 15.04 OTA-4 and earlier changes (above), with the following differences:

• the click manifest should specify apparmor with account-provider and account-qml-plugin

• if both account-provider and account-qml-plugin are specified, the click manifest should express them together

• when using account-provider and account-qml-plugin, the accounts policy group should be used with the ubuntu-account-plugin template

Eg:

• click manifest:

  {
      "name": "foo"
      "version": "0.1",
      "hooks": {
          "bar": {
              "account-application": "bar.application",
              "account-service": "bar.service",
              "apparmor": "bar.apparmor",
              "desktop": "bar.desktop"
          }
          "baz": {
              "account-provider": "baz.provider",
              "account-qml-plugin": "baz-qml-plugin",
              "apparmor": "baz.apparmor"
          }
      }
      ...

• security manifest (baz.apparmor):

  {
      "template": "ubuntu-account-plugin",
      "policy_groups": [
          "accounts",
          "networking"
      ],
      "policy_version": 1.3
  }

References

• https://developer.ubuntu.com/en/start/platform/guides/online-accounts-developer-guide/

• https://developer.ubuntu.com/apps/platform/guides/app-confinement/

• https://launchpad.net/bugs/1219644