When login through Google's authenticator, the Allow Access screen(GrantPermissionActivity) is prompt once per account per app(uid), however it is not documented where can be opt to have that screen appear for custom 3rd party authenticators.
Anyone know if there is anyway to do this?
I tried to insert a custom check and mimic the GrantPermissionActivity, but the problem is that AuthToken is cached, so I couldn't figure out how to enforce this on third party apps as the getAuthToken will simply by pass the custom codes with token cached.
Note that this is not the same problem as: How do you force AccountManager to show the "Access Request" screen after a user has already allowed access?
I think I have figured out a very good solution, but this is probably not how the Google Allow Screen works.
In the Authenticator, you get the calling package, which can't be spoofed since AccountManager verifies the UID/PID of the app. You use the calling package as part of the token type as well as the app's install date (optional, found by using the package manager), this way each app's token will be cached separately.
If the token type does not contain the package name as the calling package, no token will be returned.
For each auth token type, you also verifies a client secret regards the client key. You will then only return the Allow Access screen intent if this is the first time the client asks for the key per account per custom account type.
Note that if you want to white list app, you can also do it on a per account token type basis.