Skip to content

google-auth: mTLS token refresh blindspot due to unconfigured internal helper transport #17680

Description

@nbayati

Determine this is the right repository

  • I determined this is the correct repository in which to report this bug.

Summary of the issue

When a developer calls configure_mtls_channel() on AuthorizedSession or AuthorizedHttp, the client certificates are only mounted onto the outer client session.

To prevent infinite recursion loops, the credentials class delegates out-of-band network requests (such as token refreshing and internal IAM requests like signBlob or generateAccessToken) to a separate internal helper session (self._auth_request_session).

Because this internal transport is omitted during configuration, it lacks the client certificate. Consequently, any internal token exchanges or IAM requests bypass the mTLS channel entirely.

  • If GFE allows optional client certificates, the TLS handshake succeeds but silently falls back to standard one-way TLS.

  • If the token endpoint enforces strict Certificate-Based Access (CBA) policies, the connection is blocked, resulting in runtime outages.

Proposed fix

Ensure the client certificate configuration propagates to the inner helper transport during channel setup.

For Requests (google/auth/transport/requests.py):

Explicitly mount the adapter to the inner session during configuration:

if self._is_mtls:

    mtls_adapter = _MutualTlsAdapter(cert, key)

    self.mount("https://", mtls_adapter)

    if self._auth_request_session is not None:

        self._auth_request_session.mount("https://", mtls_adapter)

For Urllib3 (google/auth/transport/urllib3.py):

Ensure the inner request transport is also configured with the mTLS http instance:

if found_cert_key:

    self.http = _make_mutual_tls_http(cert, key)

    self._request = Request(self.http)

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions