4

When login through Google's authenticator, the Allow Access screen(GrantPermissionActivity) is prompt once per account per app(uid), however it is not documented where can be opt to have that screen appear for custom 3rd party authenticators.

Anyone know if there is anyway to do this?

I tried to insert a custom check and mimic the GrantPermissionActivity, but the problem is that AuthToken is cached, so I couldn't figure out how to enforce this on third party apps as the getAuthToken will simply by pass the custom codes with token cached.

Note that this is not the same problem as: How do you force AccountManager to show the "Access Request" screen after a user has already allowed access?

Community
  • 1
  • 1
Edison
  • 5,961
  • 4
  • 23
  • 39

2 Answers2

2

I think I have figured out a very good solution, but this is probably not how the Google Allow Screen works.

In the Authenticator, you get the calling package, which can't be spoofed since AccountManager verifies the UID/PID of the app. You use the calling package as part of the token type as well as the app's install date (optional, found by using the package manager), this way each app's token will be cached separately.

If the token type does not contain the package name as the calling package, no token will be returned.

For each auth token type, you also verifies a client secret regards the client key. You will then only return the Allow Access screen intent if this is the first time the client asks for the key per account per custom account type.

Note that if you want to white list app, you can also do it on a per account token type basis.

Edison
  • 5,961
  • 4
  • 23
  • 39
1

I don't have a complete answer for you, but maybe I can help you a bit on your way.

When looking at the getAuthToken implementation you can see that permission is automatically granted if the authenticator is using customTokens. The documentation for AuthenticationDescription also mention that the "Authenticator handles its own token caching and permission screen" if custom tokens is used. So if this is the case for you I don't think it's possible to get this screen to appear.

I tried to insert a custom check and mimic the GrantPermissionActivity, but the problem is that AuthToken is cached...

If you invalidate the the token with invalidateAuthToken it should be cleared from the cache. Just remember to pass the token you want to invalidate to the method (see AccountManager: invalidateAuthToken does not invalidate the token).

Community
  • 1
  • 1
nibarius
  • 4,007
  • 2
  • 38
  • 56