AccountManager.confirmCredentials issue

Asked 31/7, 2019 at 10:38 Answered 27/9, 2020 at 20:54

Solved android authentication google-play-services google-signin accountmanager

I'm trying to use AccountManager.confirmCredentials method for user verification in my app. I'm using it like that:

    AccountManager am = AccountManager.get(ctx);
    am.confirmCredentials(account, null, ctx, new AccountManagerCallback<Bundle>() {
        @Override
        public void run(AccountManagerFuture<Bundle> amf) {
            try {
                Bundle b = amf.getResult();
                boolean r = b.getBoolean(AccountManager.KEY_BOOLEAN_RESULT);
                vc.onValidateResult(r);
                return;
            } catch (OperationCanceledException ignore) {
            } catch (AuthenticatorException ignore) {
            } catch (IOException ignore) {
            }
            vc.onValidateResult(false);
        }
    }, null);

But found a gap in its implementation since Android 5. A user can clear the proposed account name in the Google authorization form and use his/her own. The result will be positive, and there is no ability to verify if the requested account name was used for confirmation because the got bundle has only timestamp and resulting boolean value. In other words, the bundle doesn't have KEY_ACCOUNT_NAME field, however, accordingly to the reference it should.

Does anyone know how to work around this breach?

Disinterested answered 31/7, 2019 at 10:38 Comment(4)

Which API are you targetting? – Shaum 9/8, 2019 at 8:7

Zohaib Amir, 19+ – Disinterested 9/8, 2019 at 8:18

Did you add MANAGE_ACCOUNTS permission? – Shaum 9/8, 2019 at 8:24

Zohaib Amir, sure, I've added any permission related to accounts I found in Android. No effect. – Disinterested 9/8, 2019 at 8:26

It's already fixed by Google. Now works like expected without code changes.

Disinterested answered 27/9, 2020 at 20:54 Comment(0)

According to documentation:

If no activity or password was specified, the returned Bundle contains KEY_INTENT with the Intent needed to launch the password prompt. Also the returning Bundle may contain KEY_LAST_AUTHENTICATED_TIME indicating the last time the credential was validated/created.

If your result does not contain Account Name, then it must be due to above scenario. You should check if the intent contains KEY_INTENT and if it does then launch that intent to verify.

Shaum answered 8/8, 2019 at 20:29 Comment(10)

I checked both cases, with activity and intent. Unfortunately, none of them provides an account name, only a result and last authenticated time. – Disinterested 9/8, 2019 at 8:1

@Disinterested so you are not getting name in any case? – Shaum 9/8, 2019 at 8:2

Zohaib Amir, correct. I'm not getting a name in any case. – Disinterested 9/8, 2019 at 8:3

@Disinterested is the behavior same on all devices or specific versions only? – Shaum 9/8, 2019 at 8:4

Zohaib Amir, I checked on API > 19 emulators and Samsung S8 (Pie) device. Everywhere the same. I believe it's Google Play services issue because AOSP doesn't have code related to Google accounts authentication in this way. – Disinterested 9/8, 2019 at 8:17

@Disinterested did you debug bundle to see which keys it contains? – Shaum 9/8, 2019 at 8:53

Zohaib Amir, sure I did – Disinterested 9/8, 2019 at 9:52

Let us continue this discussion in chat. – Disinterested 9/8, 2019 at 11:12

@Disinterested How did you solve this issue? I am facing the same issue – Taliped 26/9, 2020 at 19:44

@Bug Hunter 219, Google fixed that approx 6 months ago. Please update Google Play Services, it should help. – Disinterested 27/9, 2020 at 20:38

It's already fixed by Google. Now works like expected without code changes.

Disinterested answered 27/9, 2020 at 20:54 Comment(0)

Recommended topics

Hot tags