Skip to content

google-auth: Missing mTLS URL prefix check on 401 Unauthorized responses in requests transport #17757

Description

@nbayati

When using google-auth with an mTLS-enabled requests session (AuthorizedSession where self.is_mtls is true), a 401 Unauthorized response currently triggers an mTLS certificate rotation check.

However, google/auth/transport/requests.py does not verify if the URL that returned the 401 is actually an mTLS endpoint. If an OAuth token expires while calling a standard, non-mTLS endpoint (like a standard googleapis.com URL) using an mTLS-configured session, the library mistakenly triggers an unnecessary mTLS certificate parsing and adapter reconfiguration before refreshing the token.

For comparison, urllib3.py already handles this correctly by checking if the URL matches MTLS_URL_PREFIXES = ["mtls.googleapis.com", "mtls.sandbox.googleapis.com"]. We should implement a similar URL check in requests.py (and potentially centralize it) so that we only attempt mTLS certificate rotation on a 401 if the endpoint is actually an mTLS endpoint.

Metadata

Metadata

Assignees

No one assigned

    Labels

    autheffort: lowpriority: p3Desirable enhancement or fix. May not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions