When handling 401 Unauthorized responses, the HTTP transport interceptors in google.auth.transport.requests and google.auth.transport.urllib3 attempt to auto-rotate expired mTLS client certificates by calling configure_mtls_channel().
In multi-threaded environments, if multiple threads share an authorized session and hit a 401 concurrently, they will trigger the certificate rotation at the same time. Because there is no synchronization lock, this leads to race conditions. Multiple threads will redundantly read the updated certificates and concurrently mutate the underlying session's adapter mappings (requests.Session.adapters) or pool managers, which is not thread-safe and can cause runtime exceptions.
We should introduce a lock (e.g., using threading.Lock) around the configure_mtls_channel reconfiguration block inside the transport handlers to ensure that certificate rotation is performed serially.
When handling
401 Unauthorizedresponses, the HTTP transport interceptors ingoogle.auth.transport.requestsandgoogle.auth.transport.urllib3attempt to auto-rotate expired mTLS client certificates by callingconfigure_mtls_channel().In multi-threaded environments, if multiple threads share an authorized session and hit a 401 concurrently, they will trigger the certificate rotation at the same time. Because there is no synchronization lock, this leads to race conditions. Multiple threads will redundantly read the updated certificates and concurrently mutate the underlying session's adapter mappings (
requests.Session.adapters) or pool managers, which is not thread-safe and can cause runtime exceptions.We should introduce a lock (e.g., using
threading.Lock) around theconfigure_mtls_channelreconfiguration block inside the transport handlers to ensure that certificate rotation is performed serially.