Merge branch 'main' into remove-rsa-dependency

Author: daniel-sanche

.librarian/state.yaml

@@ -1,7 +1,7 @@
-image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:39628f6e89c9cad27973b9a39a50f7052bec0435ee58c7027b4fa6b655943e31
+image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:b8058df4c45e9a6e07f6b4d65b458d0d059241dd34c814f151c8bf6b89211209
 libraries:
   - id: google-auth
-    version: 2.45.0
+    version: 2.46.0
     last_generated_commit: 102d9f92ac6ed649a61efd9b208e4d1de278e9bb
     apis: []
     source_roots:

CHANGELOG.md

@@ -4,6 +4,28 @@
 
 [1]: https://pypi.org/project/google-auth/#history
 
+## [2.46.0](https://github.com/googleapis/google-auth-library-python/compare/v2.45.0...v2.46.0) (2026-01-05)
+
+
+### Documentation
+
+* update urllib3 docstrings for v2 compatibility (#1903) ([3f1aeea2d1014ea1d244a4c3470e52d74d55404b](https://github.com/googleapis/google-auth-library-python/commit/3f1aeea2d1014ea1d244a4c3470e52d74d55404b))
+
+
+### Features
+
+* Recognize workload certificate config in has_default_client_cert_source for mTLS for Agentic Identities (#1907) ([0b9107d573123e358c347ffa067637f992af61b4](https://github.com/googleapis/google-auth-library-python/commit/0b9107d573123e358c347ffa067637f992af61b4))
+
+
+### Bug Fixes
+
+* add types to default and verify_token and Request __init__ based on comments in the source code. (#1588) ([59a5f588f7793b59d923a4185c8c07738da618f7](https://github.com/googleapis/google-auth-library-python/commit/59a5f588f7793b59d923a4185c8c07738da618f7))
+* fix the document of secure_authorized_session (#1536) ([5d0014707fc359782df5ccfcaa75fd372fe9dce3](https://github.com/googleapis/google-auth-library-python/commit/5d0014707fc359782df5ccfcaa75fd372fe9dce3))
+* remove setup.cfg configuration for creating universal wheels (#1693) ([c767531ce05a89002d109f595187aff1fcaacfb7](https://github.com/googleapis/google-auth-library-python/commit/c767531ce05a89002d109f595187aff1fcaacfb7))
+* use .read() instead of .content.read() in aiohttp transport (#1899) ([12f4470f808809e8abf1141f98d88ab720c3899b](https://github.com/googleapis/google-auth-library-python/commit/12f4470f808809e8abf1141f98d88ab720c3899b))
+* raise RefreshError for missing token in impersonated credentials (#1897) ([94d04e090fdfc61926dd32bc1d65f8820b9cede5](https://github.com/googleapis/google-auth-library-python/commit/94d04e090fdfc61926dd32bc1d65f8820b9cede5))
+* Fix test coverage for mtls_helper (#1886) ([02e71631fe275d93825c2e957e830773e75133f7](https://github.com/googleapis/google-auth-library-python/commit/02e71631fe275d93825c2e957e830773e75133f7))
+
 ## [2.45.0](https://github.com/googleapis/google-auth-library-python/compare/v2.44.0...v2.45.0) (2025-12-15)
 
 

google/auth/_cache.py

@@ -0,0 +1,64 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from collections import OrderedDict
+
+
+class LRUCache(dict):
+    def __init__(self, maxsize):
+        super().__init__()
+        self._order = OrderedDict()
+        self.maxsize = maxsize
+
+    def clear(self):
+        super().clear()
+        self._order.clear()
+
+    def get(self, key, default=None):
+        try:
+            value = super().__getitem__(key)
+            self._update(key)
+            return value
+        except KeyError:
+            return default
+
+    def __getitem__(self, key):
+        value = super().__getitem__(key)
+        self._update(key)
+        return value
+
+    def __setitem__(self, key, value):
+        maxsize = self.maxsize
+        if maxsize <= 0:
+            return
+        if key not in self:
+            while len(self) >= maxsize:
+                self.popitem()
+        super().__setitem__(key, value)
+        self._update(key)
+
+    def __delitem__(self, key):
+        super().__delitem__(key)
+        del self._order[key]
+
+    def popitem(self):
+        """Remove and return the least recently used key-value pair."""
+        key, _ = self._order.popitem(last=False)
+        return key, super().pop(key)
+
+    def _update(self, key):
+        try:
+            self._order.move_to_end(key)
+        except KeyError:
+            self._order[key] = None

google/auth/_default.py

@@ -17,16 +17,22 @@
 Implements application default credentials and project ID detection.
 """
 
+from collections.abc import Sequence
 import io
 import json
 import logging
 import os
+from typing import Optional, TYPE_CHECKING
 import warnings
 
 from google.auth import environment_vars
 from google.auth import exceptions
 import google.auth.transport._http_client
 
+if TYPE_CHECKING:  # pragma: NO COVER
+    from google.auth.credentials import Credentials  # noqa: F401
+    from google.auth.transport import Request  # noqa: F401
+
 _LOGGER = logging.getLogger(__name__)
 
 # Valid types accepted for file-based credentials.
@@ -588,7 +594,12 @@ def _apply_quota_project_id(credentials, quota_project_id):
     return credentials
 
 
-def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
+def default(
+    scopes: Optional[Sequence[str]] = None,
+    request: Optional["google.auth.transport.Request"] = None,
+    quota_project_id: Optional[str] = None,
+    default_scopes: Optional[Sequence[str]] = None,
+) -> tuple["google.auth.credentials.Credentials", Optional[str]]:
     """Gets the default credentials for the current environment.
 
     `Application Default Credentials`_ provides an easy way to obtain

google/auth/aio/transport/aiohttp.py

@@ -104,7 +104,7 @@ class Request(transport.Request):
         # Custom aiohttp Session Example:
         session = session=aiohttp.ClientSession(auto_decompress=False)
         request = google.auth.aio.transport.aiohttp.Request(session=session)
-        auth_sesion = google.auth.aio.transport.sessions.AsyncAuthorizedSession(auth_request=request)
+        auth_session = google.auth.aio.transport.sessions.AsyncAuthorizedSession(auth_request=request)
 
     Args:
         session (aiohttp.ClientSession): An instance :class:`aiohttp.ClientSession` used

google/auth/aio/transport/sessions.py

@@ -159,7 +159,7 @@ async def request(
                 at ``max_allowed_time``. It might take longer, for example, if
                 an underlying request takes a lot of time, but the request
                 itself does not timeout, e.g. if a large file is being
-                transmitted. The timout error will be raised after such
+                transmitted. The timeout error will be raised after such
                 request completes.
 
         Returns:

google/auth/compute_engine/_metadata.py

@@ -294,7 +294,7 @@ def get(
     url = _helpers.update_query(base_url, query_params)
 
     backoff = ExponentialBackoff(total_attempts=retry_count)
-    failure_reason = None
+    last_exception = None
     for attempt in backoff:
         try:
             response = request(
@@ -308,13 +308,10 @@ def get(
                     retry_count,
                     response.status,
                 )
-                failure_reason = (
-                    response.data.decode("utf-8")
-                    if hasattr(response.data, "decode")
-                    else response.data
-                )
+                last_exception = None
                 continue
             else:
+                last_exception = None
                 break
 
         except exceptions.TransportError as e:
@@ -325,14 +322,27 @@ def get(
                 retry_count,
                 e,
             )
-            failure_reason = e
+            last_exception = e
     else:
-        raise exceptions.TransportError(
-            "Failed to retrieve {} from the Google Compute Engine "
-            "metadata service. Compute Engine Metadata server unavailable due to {}".format(
-                url, failure_reason
+        if last_exception:
+            raise exceptions.TransportError(
+                "Failed to retrieve {} from the Google Compute Engine "
+                "metadata service. Compute Engine Metadata server unavailable. "
+                "Last exception: {}".format(url, last_exception)
+            ) from last_exception
+        else:
+            error_details = (
+                response.data.decode("utf-8")
+                if hasattr(response.data, "decode")
+                else response.data
+            )
+            raise exceptions.TransportError(
+                "Failed to retrieve {} from the Google Compute Engine "
+                "metadata service. Compute Engine Metadata server unavailable. "
+                "Response status: {}\nResponse details:\n{}".format(
+                    url, response.status, error_details
+                )
             )
-        )
 
     content = _helpers.from_bytes(response.data)
 

google/auth/compute_engine/credentials.py

@@ -123,7 +123,7 @@ def _retrieve_info(self, request):
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_MDS
 
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Refresh the access token and scopes.
 
         Args:

google/auth/credentials.py

@@ -294,7 +294,7 @@ class CredentialsWithTrustBoundary(Credentials):
     """Abstract base for credentials supporting ``with_trust_boundary`` factory"""
 
     @abc.abstractmethod
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Refreshes the access token.
 
         Args:
@@ -305,7 +305,7 @@ def _refresh_token(self, request):
             google.auth.exceptions.RefreshError: If the credentials could
                 not be refreshed.
         """
-        raise NotImplementedError("_refresh_token must be implemented")
+        raise NotImplementedError("_perform_refresh_token must be implemented")
 
     def with_trust_boundary(self, trust_boundary):
         """Returns a copy of these credentials with a modified trust boundary.
@@ -364,7 +364,7 @@ def refresh(self, request):
         This method calls the subclass's token refresh logic and then
         refreshes the trust boundary if applicable.
         """
-        self._refresh_token(request)
+        self._perform_refresh_token(request)
         self._refresh_trust_boundary(request)
 
     def _refresh_trust_boundary(self, request):

google/auth/external_account.py

@@ -420,7 +420,7 @@ def refresh(self, request):
         source credentials and the impersonated credentials. For non-impersonated
         credentials, it will refresh the access token and the trust boundary.
         """
-        self._refresh_token(request)
+        self._perform_refresh_token(request)
         self._handle_trust_boundary(request)
 
     def _handle_trust_boundary(self, request):
@@ -432,7 +432,7 @@ def _handle_trust_boundary(self, request):
             # Otherwise, refresh the trust boundary for the external account.
             self._refresh_trust_boundary(request)
 
-    def _refresh_token(self, request, cert_fingerprint=None):
+    def _perform_refresh_token(self, request, cert_fingerprint=None):
         scopes = self._scopes if self._scopes is not None else self._default_scopes
 
         # Inject client certificate into request.