There is no good tutorial in this workflow, but I was finally able to get it to work in my application. I am adding this answer for posterity, for someone else who is faced with this particular use case.
Background task
manager.getAuthToken(account, "full", null, true, callback, new Handler());
The above expects you to work in some background task where you do not need to immediately display the interface. This explains the java document of this method. Unfortunately, if you use the false flag, you will not receive the callback that occurred in the SecurityException.
Foreground launch
manager.getAuthToken(account, "full", null, activity, callback, new Handler());
This expects the application to call this method to share the same authenticator signing certificate. Here I and many people hanged themselves. I tried several versions of Android from 4.0.1 to 5.0 and this seems to be the intended behavior, not a bug in their code.
Decision
Use another tool to get an authorization token. in particular, confirm the credentials of the required account.
mgr.confirmCredentials(account, null, activity, callback, null);
By supporting Confirm Credentials, you can send an intent to run AccountAuthenticatorActivity through Authenticator and avoid a security exception. You have full control over the user interface here, so although you can usually request a new password for the account, instead you can show the page with a button to confirm that the account should be used in the calling application. Then all you have to do is send the authentication token to the AccountManagerCallback package, returning to the calling application.
Callback Method Example
new AccountManagerCallback<Bundle>() { @Override public void run(AccountManagerFuture<Bundle> bundle) { boolean success = result.getBoolean(AccountManager.KEY_BOOLEAN_RESULT); if (success) { final String token = result.getString(AuthenticationHelper.ACCESS_TOKEN);