Unable to complete MFA sign in flow using `startActivityForSignInWithProvider`

Environment

1. com.google.firebase:firebase-auth:21.0.1
2. com.google.android.gms:play-services-auth:19.0.0
3. Android 11
4. Google Identity platform
5. Custom OIDC Provider (any)

The problem

We are integrating with our customers existing identity stores using the Google Cloud Identity platform. Some of our customers require MFA using various MFA apps. We are using the Android SDK method startActivityForSignInWithProvider (described here). Now this works great on iOS and in the browser. But as implemented currently, it is impossible for a user to complete a MFA sign in flow using a custom provider, on Android, that utilizes a MFA app that is installed on the same device.

This is because the browser window opened by the SDK to complete the OAuth flow closes, as soon as a user tries to switch tasks. So any attempt to switch to the MFA app, either to copy a code or to approve the sign in request, kills the sign in flow. See attached video for a demonstration of the problem (https://user-images.githubusercontent.com/4655446/122409397-19f94800-cf51-11eb-9c23-4843de51fbf6.mp4).

Our hypothesis is that the flags used to open the browser window are wrong. See https://github.com/openid/AppAuth-Android/issues/106 and https://github.com/openid/AppAuth-Android/pull/109.

Steps to reproduce:

1. Configure a custom identity provider using Google Identity Provider (SAML or OIDC).
2. Make sure your custom third party identity server enforces MFA using some authenticator app
3. Start login flow using startActivityForSignInWithProvider
4. Switch tasks

Critical

This is slowly becoming a critical issue as many of our enterprise customers are reporting issues for their employees that use Android. Given that the fix is likely easy, hoping for a quick resolution