chore(deps): update dependency google-auth to v2.49.0

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
google-auth	==2.3.2 → ==2.49.0

---

Release Notes

googleapis/google-auth-library-python (google-auth)

v2.48.0

Compare Source

Features

• add cryptography as required dependency (#​1929) (52558ae2881b1e6555f6f5c0d76365c15807ead9)
• Support the mTLS IAM domain for Certificate based Access (#​1938) (8dcf91a1b05c85fbbd0bcee78d66e498099102ab)
• add configurable GCE Metadata Server retries (#​1488) (454b441b478ec62bbf1a6ad5bceb6c7cbbfd0c37)
• honor NO_GCE_CHECK environment variable (#​1610) (383c9827536d9376e8248370ce4c2b83e468d027)

Bug Fixes

• resolve circular imports (#​1942) (25c1b064545702cbef087cfcd15fbbb6ef1af74f)
• removes content-header from AWS IMDS get request (#​1934) (97bfea9e02ede953fc8ee154e0deed3a3cfc6dcc)
• detect correct auth when ADC env var is set but empty (#​1374) (bfc07e1050bd0aa86fa3b08cdf70c9b68b5fe6a2)
• replace deprecated utcfromtimestamp (#​1799) (e431f20cf73ccac71926a23ec454468cea92e053)
• Use user_verification=preferred for ReAuth WebAuthn challenge (#​1798) (3f88a24089c4ee6822d510de0db210b54260d873)

v2.47.0

Compare Source

Features

• drop cachetools dependency in favor of simple local implementation (#​1590) (5c07e1c4f52bc77a1b16fa3b7b3c5269c242f6f4)

Bug Fixes

• Python 3.8 support (#​1918) (60dc20014a35ec4ba71e8065b9a33ecbdbeca97a)

v2.46.0

Compare Source

Documentation

• update urllib3 docstrings for v2 compatibility (#​1903) (3f1aeea2d1014ea1d244a4c3470e52d74d55404b)

Features

• Recognize workload certificate config in has_default_client_cert_source for mTLS for Agentic Identities (#​1907) (0b9107d573123e358c347ffa067637f992af61b4)

Bug Fixes

• add types to default and verify_token and Request init based on comments in the source code. (#​1588) (59a5f588f7793b59d923a4185c8c07738da618f7)
• fix the document of secure_authorized_session (#​1536) (5d0014707fc359782df5ccfcaa75fd372fe9dce3)
• remove setup.cfg configuration for creating universal wheels (#​1693) (c767531ce05a89002d109f595187aff1fcaacfb7)
• use .read() instead of .content.read() in aiohttp transport (#​1899) (12f4470f808809e8abf1141f98d88ab720c3899b)
• raise RefreshError for missing token in impersonated credentials (#​1897) (94d04e090fdfc61926dd32bc1d65f8820b9cede5)
• Fix test coverage for mtls_helper (#​1886) (02e71631fe275d93825c2e957e830773e75133f7)

v2.45.0

Compare Source

Features

• Adding Agent Identity bound token support and handling certificate mismatches with retries (#​1890) (b32c934e6b0d09b94c467cd432a0a635e8b05f5c)

v2.44.0

Compare Source

Features

• support Python 3.14 (#​1822) (0f7097e78f247665b6ef0287d482033f7be2ed6d)
• add ecdsa p-384 support (#​1872) (39c381a5f6881b590025f36d333d12eff8dc60fc)
• MDS connections use mTLS (#​1856) (0387bb95713653d47e846cad3a010eb55ef2db4c)
• Implement token revocation in STS client and add revoke() metho… (#​1849) (d5638986ca03ee95bfffa9ad821124ed7e903e63)
• Add shlex to correctly parse executable commands with spaces (#​1855) (cf6fc3cced78bc1362a7fe596c32ebc9ce03c26b)

Bug Fixes

• Use public refresh method for source credentials in ImpersonatedCredentials (#​1884) (e0c3296f471747258f6d98d2d9bfde636358ecde)
• Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration (#​1880) (78de7907b8bdb7b5510e3c6fa8a3f3721e2436d7)
• Delegate workload cert and key default lookup to helper function (#​1877) (b0993c7edaba505d0fb0628af28760c43034c959)

v2.43.0

Compare Source

Features

• Add public wrapper for _mtls_helper.check_use_client_cert which enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert sources detected (#​1859) Add public wrapper for check_use_client_cert which enables mTLS if
  GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert
  sources detected. Also, fix check_use_client_cert to return boolean
  value.
  Change #​1848 added the check_use_client_cert method that helps know if
  client cert should be used for mTLS connection. However, that was in a
  private class, thus, created a public wrapper of the same function so
  that it can be used by python Client Libraries. Also, updated
  check_use_client_cert to return a boolean value instead of existing
  string value for better readability and future scope.
  --------- (1535eccbff0ad8f3fd6a9775316ac8b77dca66ba)
• Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the MWID/X.509 cert sources detected (#​1848) The Python SDK will use a hybrid approach for mTLS enablement:

• If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set
  (either true or false), the SDK will respect that setting. This is
  necessary for test scenarios and users who need to explicitly control
  mTLS behavior.
• If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not
  set, the SDK will automatically enable mTLS only if it detects Managed
  Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF)
  certificate sources. In other cases where the variable is not set, mTLS
  will remain disabled.
  ** This change also adds the helper method check_use_client_cert and
  it's unit test, which will be used for checking the criteria for setting
  the mTLS to true
  ** This change is only for Auth-Library, other changes will be created
  for Client-Library use-cases.
  --------- (395e405b64b56ddb82ee639958c2e8056ad2e82b)

• onboard google-auth to librarian (#​1838) This PR onboards google-auth library to the Librarian system.
  Wait for
  #​1819. (c503eaa511357d7a76cc1e1f1d3a3be2dabd5bca)

v2.42.1

Compare Source

Bug Fixes

• Catch ValueError for json.loads() (#​1842) (b074cad)

v2.42.0

Compare Source

Features

• Add trust boundary support for external accounts. (#​1809) (36ecb1d)

Bug Fixes

• Read scopes from ADC json for impersoanted cred (#​1820) (62c0fc8)

v2.41.1

Compare Source

Bug Fixes

• Suppress deprecation warning for ADC (#​1815) (751ce3f)

v2.41.0

Compare Source

Features

• Add support for cachetools 6.0 (#​1773) (af18060)
• Add trust boundary support for service accounts and impersonation. (#​1778) (99be2ce)

Bug Fixes

• Deprecating load_credentials_from_dict (58b66ec)
• Deprecating load_credentials_from_file (58b66ec)
• Fix type error in credentials.py for python 3.7 and 3.8 (#​1805) (c30a6a7)

Documentation

• Update user guide to include x509 feature. (#​1802) (2d89ab4)

v2.40.3

Compare Source

Bug Fixes

• Auth fetch token from default endpoint (#​1779) (88891cc)
• Remove unnecessary call to mds service (#​1769) (7c61c7d)
• Retry 504 errors (#​1767) (554f967)

v2.40.2

Compare Source

Bug Fixes

• Remove sync response logs in AuthorizedSession (97ed1c8)
• Update test to consider new error message from cryptography (#​1765) (44e38b6)

v2.40.1

Compare Source

Bug Fixes

• Disable logging response body for async logs (#​1756) (2f0ddfe)

v2.40.0

Compare Source

Features

• Add request response logging to auth (#​1678) (77ad53e)

Bug Fixes

• Correct webauthn JSON parsing to be compliant with standard. (#​1658) (0c5ef36)

v2.39.0

Compare Source

Features

• Adds GA support for X.509 workload identity federation (#​1695) (7495960)

Bug Fixes

• Add impersonated SA via local ADC support for fetch_id_token (#​1740) (f249764)
• Add missing packaging dependency for feature requiring urllib3 (#​1732) (221f4a8)
• Add request timeout for MDS requests (#​1699) (9f7d3fa)
• Explicitly declare support for Python 3.13 (#​1741) (6fd04d5)

v2.38.0

Compare Source

Features

• Adding domain-wide delegation flow in impersonated credential (#​1624) (34ee3fe)

Documentation

• Add warnings regarding consuming externally sourced credentials (d049370)

v2.37.0

Compare Source

Features

• Allow users to use jwk keys for verifying ID token (#​1641) (98c3ed9)

v2.36.0

Compare Source

Features

• IAM signblob retries (#​1600) (484c8db)
• Making iam endpoint universe-aware (#​1604) (16c728d)
• Support External Account Authorized User as a Source Credential for impersonated credentials in ADC (#​1608) (875796c)

Bug Fixes

• Adding default parameters to updated interfaces (#​1622) (8cf1cb1)
• Change universe_domain to universe-domain (#​1613) (168fcc6)
• Remove base class to avoid type conflict (#​1619) (9e2789a)
• Revert templates for iam endpoints (#​1614) (0a4363a)
• Update secret (#​1611) (f070de0)
• Update secret (#​1617) (10f42a7)
• Update secret (#​1621) (6be19fb)

v2.35.0

Compare Source

Features

• Add cred info to ADC creds (#​1587) (6f75dd5)
• Add support for asynchronous AuthorizedSession api (#​1577) (2910b6b)

Bug Fixes

• Remove token_info call from token refresh path (#​1595) (afb9e5a)

v2.34.0

Compare Source

Features

• auth: Update get_client_ssl_credentials to support X.509 workload certs (#​1558) (18c2ec1)

Bug Fixes

• Retry token request on retryable status code (#​1563) (f858a15)

v2.33.0

Compare Source

Features

• Implement async StaticCredentials using access tokens (#​1559) (dc17dfc)
• Implement base classes for credentials and request sessions (#​1551) (036dac4)

Bug Fixes

• metadata: Enhance retry logic for metadata server access in _metadata.py (#​1545) (61c2432)

Documentation

• Update argument for Credentials initialization (#​1557) (40b9ed9)

v2.32.0

Compare Source

Features

• Adds support for X509 workload credential type (#​1541) (1270217)

v2.31.0

Compare Source

Features

• Adds X509 workload cert logic (#​1527) (05220e0)

Bug Fixes

• Added py.typed to MANIFEST.in (#​1526) (1829a3b)
• Pass trust_env kwarg to ClientSession (#​1533) (6c15c9a), closes #​1530

v2.30.0

Compare Source

Features

• Add WebAuthn plugin component to handle WebAuthn get assertion request (#​1464) (e25f336)
• ECP Provider drop cryptography requirement (#​1524) (a821d71)
• Enable webauthn plugin for security keys (#​1528) (e2d5e63)

Bug Fixes

• Fix id_token iam endpoint for non-gdu service credentials (#​1506) (93d681e)
• Makes default token_url universe aware (#​1514) (045776e)

v2.29.0

Compare Source

Features

• Adds support for custom suppliers in AWS and Identity Pool credentials (#​1496) (3af1768)

Bug Fixes

• Refactor tech debt in aws and identity pool credentials (#​1501) (ce435b0)

v2.28.2

Compare Source

Bug Fixes

• Remove gce log for expected 404 (#​1491) (cb04e49)

v2.28.1

Compare Source

Bug Fixes

• Typo when setting the state for the pickle deserializer. (#​1479) (08b5cc3)

v2.28.0

Compare Source

Features

• Adding universe domain support for downscroped credentials (#​1463) (fa8b7b2)

Bug Fixes

• Change log level to debug for return_none_for_not_found_error (#​1473) (a036b47)
• Make requests import conditional for gce universe domain (#​1476) (9bb64c8)

v2.27.0

Compare Source

Features

• Add optional account association for Authorized User credentials. (#​1458) (988153d)

Bug Fixes

• Allow custom universe domain for gce creds (#​1460) (7db5823)
• Conditionally import requests only if no request was passed by the caller. (#​1456) (9cd6742)

v2.26.2

Compare Source

Bug Fixes

• Read universe_domain for external account authorized user (#​1450) (1cc7df3)

v2.26.1

Compare Source

Bug Fixes

• Ensure that refresh worker is pickle-able. (#​1447) (421c184)

v2.26.0

Compare Source

Features

• Add optional non blocking refresh for sync auth code (a6dc2c3)
• Add optional non blocking refresh for sync auth code (#​1368) (a6dc2c3)

Bug Fixes

• External account user cred universe domain support (#​1437) (75068f9)
• Guard delete statements. Add default fallback for _use_non_blocking_refresh. (#​1445) (776d634)

v2.25.2

Compare Source

Bug Fixes

• Fix user cred universe domain issue (#​1436) (ae314a8)

v2.25.1

Compare Source

Bug Fixes

• Fix vm universe_domain bug (#​1433) (8683520)

v2.25.0

Compare Source

Features

• Add custom tls signer for ECP Provider. (39eb287)
• Add custom tls signer for ECP Provider. (#​1402) (39eb287)

Bug Fixes

• Add with_universe_domain (#​1408) (505910c)
• Fixes issue where Python37DeprecationWarning cannot be filtered (#​1428) (f22f767)
• Remove broken link in Python37DeprecationWarning (#​1430) (e2db602)

v2.24.0

Compare Source

Features

• Add support for Python 3.12 (#​1421) (307916c)
• Add universe domain support for VM cred (#​1409) (7ab0fce)
• Modify the token refresh window (#​1419) (c6af1d6)

Bug Fixes

• Add missing before request to async oauth2 credentials. (#​1420) (8eaa878)
• Auto create self signed jwt cred (#​1418) (6c610a5)
• Migrate datetime.utcnow for python 3.12 (#​1413) (e4d9c27)

Documentation

• Update user cred doc (#​1414) (3f426bc)

v2.23.4

Compare Source

Bug Fixes

• Export detect_gce_residency_linux function (#​1403) (809da13)

v2.23.3

Compare Source

Bug Fixes

• Serialize signer keys on getstate for pickling (#​1394) (8b783b9), closes #​1383

v2.23.2

Compare Source

Bug Fixes

• Support urllib3<2.0 versions (#​1390) (07c464a)

v2.23.1

Compare Source

Bug Fixes

• Less restrictive content-type header check for google authentication (ignores charset) (#​1382) (7039beb)
• Trust boundary meta header renaming and using the schema from backend team. (#​1384) (2503d4a)
• Update urllib3 to >= 2.0.5 (#​1389) (a99f3bb)

v2.23.0

Compare Source

Features

• Add get_bq_config_path() to _cloud_sdk.py (9f52f66)
• Add get_bq_config_path() to _cloud_sdk.py (#​1358) (9f52f66)

Bug Fixes

• Expose universe domain in credentials (#​1380) (8b8fce6)
• Make external_account resistant to string type 'expires_in' responses from non-compliant services (#​1379) (01d3770)
• Missing ssj for impersonate cred (#​1377) (7d453dc)
• Skip checking projectid on cred if env var is set (#​1349) (a4135a3)

v2.22.0

Compare Source

Features

• Adding meta header for trust boundary (#​1334) (908c8d1)
• Introduce compatibility with native namespace packages (#​1205) (2f75922)

Bug Fixes

• Deprecate UserAccessTokenCredentials (#​1344) (5f97fe9)

v2.21.0

Compare Source

Features

• Add framework for BYOID metrics headers (#​1332) (1a8f50c)

Bug Fixes

• Pypy unit test build (#​1335) (33e4263)

v2.20.0

Compare Source

Features

• Add public API load_credentials_from_dict (#​1326) (5467ad7)

Bug Fixes

• Expiry in compute_engine.IDTokenCredentials (#​1327) (56a6159), closes #​1323
• Expiry in impersonated_credentials.IDTokenCredentials (#​1330) (d1b887c)
• Invalid dev version identifiers in setup.py (#​1322) (a9b8f12), closes #​1321

v2.19.1

Compare Source

Bug Fixes

• Check id token error response (#​1315) (2a71f7b)
• Fix "AttributeError: 'str' object has no attribute 'get'" (dac7cc3)

Documentation

• Replacing abc.com with example.com (dac7cc3)

v2.19.0

Compare Source

Features

• Add metrics (part 1) (#​1298) (246dd07)
• Add metrics (part 2) (#​1303) (ebd5af7)
• Add metrics (part 3) (#​1305) (c7011b6)
• Expose universe_domain for external account creds (#​1296) (ee07053)
• Remove python 2.7 from setup.py and nox tests (#​1301) (8437490)

v2.18.1

Compare Source

Bug Fixes

• Self signed jwt token should be string type (#​1294) (17356fd)

v2.18.0

Compare Source

Features

• Add smbios check to detect GCE residency (#​1276) (22d241b)
• Universe domain support for service account (#​1286) (821c1b6)

v2.17.3

Compare Source

Bug Fixes

• Add useEmailAzp claim for id token iam flow (#​1270) (7a9c6f2)

v2.17.2

Compare Source

Bug Fixes

• Do not create new JWT credentials if they make the same claims as the existing. (#​1267) ([e

---

Configuration

📅 Schedule: Branch creation - "before 8am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[dpebot]

/gcbrun