I'm testing the 'Sign in with Google' flow with Credential Manager by following the indications in the official docs. So far, the process works as intended: it shows a bottom sheet with the available accounts and it allows me to sign in to the selected account.
However, I observed that if I dismiss the bottom sheet 4 times in a row, the bottom sheet doesn't appear anymore and I get the following exception:
androidx.credentials.exceptions.NoCredentialException: During begin sign in, failure response from one tap: 16: [28436] Caller has been temporarily blocked due to too many canceled sign-in prompts.
That exception seems to come from the old 'One Tap' flow. As explained in the One Tap docs, "If a user cancels several prompts in a row, the One Tap client will not prompt the user for the next 24 hours".
Which leads to my question:
If a user who is trying to sign in into my app dismisses the credential prompt 4 times in a row (which I can easily see happening), what should I do? Telling them that they cannot use the app for 24 hours seems a bit excessive. Is there any alternative?
NOTE:
It's important to point out that the old GoogleSignInClient didn't have this limitation.
That mechanism was put in place to stop an app from being too spammy by prompting the user constantly (note that the API is not triggered by user taking an explicit action; it is called by the developers when the user opens the app; if it was driven by user tapping on, say, a button, then that would have been a different story); if a user dismisses the bottomsheet three times in a row, it may be a signal that the user doesn't want to see that so we disable that for 24 hours. We're revisiting some parameters around that and will have some updates relatively soon but the main idea is still valid. As for developers, there are ways around that since it can happen often during development; if you are using a Pixel or an emulator, you can enter a certain code into the dialer to disable that feature on that device, or on other devices, cleaning the Play Services cache also get you out of that lockdown.
To answer the other part of your question, it is always recommended to also add a "Sign in With Google" button on your sign-in page since a user may even accidentally close the bottomsheet so having that button provides a way for the user to explicitly attempt to sign in with their Google accounts.