Skip to content

google-auth: Thread safety race condition during 401 client certificate rotation in transports #17756

Description

@nbayati

When handling 401 Unauthorized responses, the HTTP transport interceptors in google.auth.transport.requests and google.auth.transport.urllib3 attempt to auto-rotate expired mTLS client certificates by calling configure_mtls_channel().

In multi-threaded environments, if multiple threads share an authorized session and hit a 401 concurrently, they will trigger the certificate rotation at the same time. Because there is no synchronization lock, this leads to race conditions. Multiple threads will redundantly read the updated certificates and concurrently mutate the underlying session's adapter mappings (requests.Session.adapters) or pool managers, which is not thread-safe and can cause runtime exceptions.

We should introduce a lock (e.g., using threading.Lock) around the configure_mtls_channel reconfiguration block inside the transport handlers to ensure that certificate rotation is performed serially.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authpriority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions