= Introduction =
[[https://developer.ubuntu.com/en/start/platform/guides/online-accounts-developer-guide/|Online accounts]] has several components that application developers may use:
 * account-application and account-service: describe the services the application will use (should be specified together)
 * account-provider and account-qml-plugin: describe the providers and services to extend Online Accounts (should be specified together)

= Implementation for 15.04 OTA-4 and prior =
At a high-level, this is essentially the same process as for [[https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement|ApplicationConfinement]], with the following differences:
 * the click manifest should specify the correct framework for the release it is targeting (eg, `ubuntu-sdk-15.04`)
 * the click manifest should specify `apparmor` with `account-application` and `account-service`
 * if both `account-application` and `account-service` are specified, the click manifest should express them together
 * when using `account-application` and `account-service`, the `accounts` policy group should be used with the default template (eg, `ubuntu-sdk`)

Eg:
 * click manifest: {{{
{
    "name": "foo"
    "version": "0.1",
    "hooks": {
        "bar": {
            "account-application": "bar.application",
            "account-service": "bar.service",
            "apparmor": "bar.apparmor",
            "desktop": "bar.desktop"
        }
    }
    ...
}}}
 * security manifest (bar.apparmor):{{{
{
    "policy_groups": [
        "accounts",
        "networking"
    ],
    "policy_version": 1.3
}
}}}

Prior to Ubuntu Touch 15.04 OTA-5, specifying `account-provider` and `account-qml-plugin` would not work with `apparmor` and therefore it would run unconfined and trigger a manual review in the store.

= Implementation for 15.04 OTA-5 and higher =
With 15.04 OTA-5, online accounts added support for [[https://launchpad.net/bugs/1219644|confinement of online account providers]]. This is the same as with the 15.04 OTA-4 and earlier changes (above), with the following differences:
 * the click manifest should specify `apparmor` with `account-provider` and `account-qml-plugin`
 * if both `account-provider` and `account-qml-plugin` are specified, the click manifest should express them together
 * when using `account-provider` and `account-qml-plugin`, the `accounts` policy group should be used with the `ubuntu-account-plugin` template

Eg:
 * click manifest:{{{
{
    "name": "foo"
    "version": "0.1",
    "hooks": {
        "bar": {
            "account-application": "bar.application",
            "account-service": "bar.service",
            "apparmor": "bar.apparmor",
            "desktop": "bar.desktop"
        }
        "baz": {
            "account-provider": "baz.provider",
            "account-qml-plugin": "baz-qml-plugin",
            "apparmor": "baz.apparmor"
        }
    }
    ...
}}}
 * security manifest (baz.apparmor):{{{
{
    "template": "ubuntu-account-plugin",
    "policy_groups": [
        "accounts",
        "networking"
    ],
    "policy_version": 1.3
}
}}}

= References =
 * https://developer.ubuntu.com/en/start/platform/guides/online-accounts-developer-guide/
 * https://developer.ubuntu.com/apps/platform/guides/app-confinement/
 * https://launchpad.net/bugs/1219644