Skip to content

feat: mTLS configuration via x.509 for asynchronous session in google-auth#1959

Open
agrawalradhika-cell wants to merge 12 commits intomainfrom
mtls-async-support
Open

feat: mTLS configuration via x.509 for asynchronous session in google-auth#1959
agrawalradhika-cell wants to merge 12 commits intomainfrom
mtls-async-support

Conversation

@agrawalradhika-cell
Copy link
Contributor

@agrawalradhika-cell agrawalradhika-cell commented Feb 17, 2026

This pull request introduces support for Mutual TLS (mTLS) in the asynchronous transport layer of the google-auth library. It enables AsyncAuthorizedSession to automatically discover and utilize client certificates for secure communication with Google Cloud APIs. See go/caa:x509-async-support for details.

Please note: Only x.509 creds are in scope of this project currently. Context aware or ECP credentials are not in scope of this project currently.

This PR is second part of #1956

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
… handling async and removing encrypted_key complication

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
… sync helpers can be reused

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
…-auth

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
@agrawalradhika-cell agrawalradhika-cell requested review from a team as code owners February 17, 2026 07:03
@gemini-code-assist
Copy link
Contributor

Summary of Changes

Hello @agrawalradhika-cell, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the google-auth library by integrating mutual TLS (mTLS) capabilities for asynchronous operations. The changes enable secure communication by allowing clients to present X.509 certificates for authentication, which is crucial for environments requiring strong identity verification. This feature provides a more secure and compliant way for applications to interact with Google services, particularly in enterprise or regulated settings.

Highlights

  • Asynchronous mTLS Support: Introduced comprehensive support for mTLS (mutual TLS) configuration within asynchronous sessions, specifically leveraging X.509 certificates.
  • New mTLS Helper Module: A new module, google/auth/aio/transport/mtls.py, was added to encapsulate asynchronous mTLS-related helper functions, such as creating temporary certificate files, generating SSL contexts, and retrieving client certificates.
  • Configurable Async Sessions: The AsyncAuthorizedSession class now includes a configure_mtls_channel method, allowing dynamic setup of mTLS based on environment variables or provided callbacks, and exposes an is_mtls property.
  • Flexible Certificate Discovery: Modified underlying mTLS helper functions to allow more control over certificate discovery paths by introducing an include_context_aware parameter, enabling selective checking of context-aware metadata.
  • Enhanced Testing: New asynchronous test suites were added to validate the mTLS configuration and helper functions, ensuring robust and reliable behavior.
Changelog
  • google/auth/aio/transport/aiohttp.py
    • Updated Request class constructor to allow an optional aiohttp.ClientSession.
  • google/auth/aio/transport/mtls.py
    • Added new module containing asynchronous mTLS helper functions, including temporary file creation, SSL context generation, and client certificate retrieval.
  • google/auth/aio/transport/sessions.py
    • Implemented asynchronous mTLS channel configuration.
    • Added _is_mtls and _cached_cert attributes to track mTLS status and certificate.
    • Introduced an is_mtls property to indicate if mutual TLS is enabled.
    • Imported aiohttp directly and mtls module for mTLS functionality.
  • google/auth/transport/_mtls_helper.py
    • Modified _get_workload_cert_and_key and _get_cert_config_path functions to accept an include_context_aware parameter.
  • google/auth/transport/mtls.py
    • Updated has_default_client_cert_source function to accept an include_context_aware boolean argument.
  • noxfile.py
    • Modified mypy session to install aiohttp dependencies for type checking.
  • tests/transport/aio/test_sessions_mtls.py
    • Added new asynchronous tests for mTLS channel configuration in AsyncAuthorizedSession.
  • tests/transport/test_aio_mtls_helper.py
    • Added new asynchronous tests for mTLS helper functions.
  • tests/transport/test_mtls.py
    • Updated existing tests to pass the include_context_aware parameter to has_default_client_cert_source.
Activity
  • No specific human activity (comments, reviews, progress updates) was provided in the context for this pull request.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces mTLS configuration capabilities for asynchronous sessions in google-auth, leveraging x.509 certificates. Key changes include the addition of a new mtls.py module for handling certificate and key management, updates to AsyncAuthorizedSession to support mTLS channel configuration, and modifications to internal helper functions to accommodate context-aware certificate sources. Comprehensive unit tests have also been added to ensure the correctness and robustness of the new mTLS functionality.

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
…of race conditions

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
@agrawalradhika-cell
Copy link
Contributor Author

The system-3.10 is failing with unrelated Module not found failure which is fixed by removing version bound of google-cloud-pubsub in noxfile.grpc in #1961

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments