Determine this is the right repository
Summary of the issue
When a developer calls configure_mtls_channel() on AuthorizedSession or AuthorizedHttp, the client certificates are only mounted onto the outer client session.
To prevent infinite recursion loops, the credentials class delegates out-of-band network requests (such as token refreshing and internal IAM requests like signBlob or generateAccessToken) to a separate internal helper session (self._auth_request_session).
Because this internal transport is omitted during configuration, it lacks the client certificate. Consequently, any internal token exchanges or IAM requests bypass the mTLS channel entirely.
-
If GFE allows optional client certificates, the TLS handshake succeeds but silently falls back to standard one-way TLS.
-
If the token endpoint enforces strict Certificate-Based Access (CBA) policies, the connection is blocked, resulting in runtime outages.
Proposed fix
Ensure the client certificate configuration propagates to the inner helper transport during channel setup.
For Requests (google/auth/transport/requests.py):
Explicitly mount the adapter to the inner session during configuration:
if self._is_mtls:
mtls_adapter = _MutualTlsAdapter(cert, key)
self.mount("https://", mtls_adapter)
if self._auth_request_session is not None:
self._auth_request_session.mount("https://", mtls_adapter)
For Urllib3 (google/auth/transport/urllib3.py):
Ensure the inner request transport is also configured with the mTLS http instance:
if found_cert_key:
self.http = _make_mutual_tls_http(cert, key)
self._request = Request(self.http)
Determine this is the right repository
Summary of the issue
When a developer calls
configure_mtls_channel()onAuthorizedSessionorAuthorizedHttp, the client certificates are only mounted onto the outer client session.To prevent infinite recursion loops, the credentials class delegates out-of-band network requests (such as token refreshing and internal IAM requests like
signBloborgenerateAccessToken) to a separate internal helper session (self._auth_request_session).Because this internal transport is omitted during configuration, it lacks the client certificate. Consequently, any internal token exchanges or IAM requests bypass the mTLS channel entirely.
If GFE allows optional client certificates, the TLS handshake succeeds but silently falls back to standard one-way TLS.
If the token endpoint enforces strict Certificate-Based Access (CBA) policies, the connection is blocked, resulting in runtime outages.
Proposed fix
Ensure the client certificate configuration propagates to the inner helper transport during channel setup.
For Requests (
google/auth/transport/requests.py):Explicitly mount the adapter to the inner session during configuration:
For Urllib3 (
google/auth/transport/urllib3.py):Ensure the inner request transport is also configured with the mTLS http instance: