When using google-auth with an mTLS-enabled requests session (AuthorizedSession where self.is_mtls is true), a 401 Unauthorized response currently triggers an mTLS certificate rotation check.
However, google/auth/transport/requests.py does not verify if the URL that returned the 401 is actually an mTLS endpoint. If an OAuth token expires while calling a standard, non-mTLS endpoint (like a standard googleapis.com URL) using an mTLS-configured session, the library mistakenly triggers an unnecessary mTLS certificate parsing and adapter reconfiguration before refreshing the token.
For comparison, urllib3.py already handles this correctly by checking if the URL matches MTLS_URL_PREFIXES = ["mtls.googleapis.com", "mtls.sandbox.googleapis.com"]. We should implement a similar URL check in requests.py (and potentially centralize it) so that we only attempt mTLS certificate rotation on a 401 if the endpoint is actually an mTLS endpoint.
When using
google-authwith an mTLS-enabledrequestssession (AuthorizedSessionwhereself.is_mtlsis true), a401 Unauthorizedresponse currently triggers an mTLS certificate rotation check.However,
google/auth/transport/requests.pydoes not verify if the URL that returned the 401 is actually an mTLS endpoint. If an OAuth token expires while calling a standard, non-mTLS endpoint (like a standardgoogleapis.comURL) using an mTLS-configured session, the library mistakenly triggers an unnecessary mTLS certificate parsing and adapter reconfiguration before refreshing the token.For comparison,
urllib3.pyalready handles this correctly by checking if the URL matchesMTLS_URL_PREFIXES = ["mtls.googleapis.com", "mtls.sandbox.googleapis.com"]. We should implement a similar URL check inrequests.py(and potentially centralize it) so that we only attempt mTLS certificate rotation on a 401 if the endpoint is actually an mTLS endpoint.