Skip to content

google-auth: unify mTLS certificate discovery helpers to prevent split-brain state #17624

Description

@nbayati

Summary of the issue

It looks like the public helper mtls.has_default_client_cert_source() is missing a check for the CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH env var.

Because of this gap, if a user relies on that env var for their cert config, we end up in a weird split-brain situation: HTTP correctly thinks mTLS is enabled, but gRPC evaluates it to false.

Proposed fix

We should update the public helper to use the centralized _get_cert_config_path method (or similar unified logic) so both transports stay in sync and evaluate the exact same mTLS state.

Affected Files

  • google/auth/transport/mtls.py

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions