* fix: misc fixes

* update

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

feat: Add public API load_credentials_from_dict to allow creating a default credential object from a dictionary.

This resolves googleapis/google-auth-library-python#1313.

Not ~PEP 440~ distlib compliant.

Fixes #1321

fixes #1323

🤖 I have created a release *beep* *boop*
---


## [2.20.0](https://togithub.com/googleapis/google-auth-library-python/compare/v2.19.1...v2.20.0) (2023-06-12)


### Features

* Add public API load_credentials_from_dict ([#1326](https://togithub.com/googleapis/google-auth-library-python/issues/1326)) ([5467ad7](https://togithub.com/googleapis/google-auth-library-python/commit/5467ad75334ee0b5e23522679171cda5fd4edb8a))


### Bug Fixes

* Expiry in compute_engine.IDTokenCredentials ([#1327](https://togithub.com/googleapis/google-auth-library-python/issues/1327)) ([56a6159](https://togithub.com/googleapis/google-auth-library-python/commit/56a6159444467717f5a5e3c04aa678bd0a5881da)), closes [#1323](https://togithub.com/googleapis/google-auth-library-python/issues/1323)
* Expiry in impersonated_credentials.IDTokenCredentials ([#1330](https://togithub.com/googleapis/google-auth-library-python/issues/1330)) ([d1b887c](https://togithub.com/googleapis/google-auth-library-python/commit/d1b887c4bebbe4ad0df6d8f7eb6a6d50355a135d))
* Invalid `dev` version identifiers in `setup.py` ([#1322](https://togithub.com/googleapis/google-auth-library-python/issues/1322)) ([a9b8f12](https://togithub.com/googleapis/google-auth-library-python/commit/a9b8f12db0c3ff4f84939646ba0777d21e68f572)), closes [#1321](https://togithub.com/googleapis/google-auth-library-python/issues/1321)

---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).

This resolves https://togithub.com/googleapis/google-auth-library-python/issues/1320

* Add framework for BYOID metrics headers

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* responding to PR comments

* fix: changing try catch to if statement

* Fix lint and test coverage issue

* fix comment

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>

…p/templates/python_library/.kokoro (#1319)

Source-Link: googleapis/synthtool@d0f51a0
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-python:latest@sha256:240b5bcc2bafd450912d2da2be15e62bc6de2cf839823ae4bf94d4f392b451dc

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

Source-Link: https://togithub.com/googleapis/synthtool/commit/cb960373d12d20f8dc38beee2bf884d49627165e
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-python:latest@sha256:2d816f26f728ac8b24248741e7d4c461c09764ef9f7be3684d557c9632e46dbd

* feat: adding meta header for trust boundary

* fixing lint

* adding trust_boundary parameter for 3PI init

* change inject header to kebab case and the value to a reasonable value

Based on https://togithub.com/googleapis/google-auth-library-python/pull/778

* fix: Skip checking projectid on cred if env var is set

* add test for legacy project

---------

Co-authored-by: Carl Lundin <108372512+clundin25@users.noreply.github.com>

feat: add get_bq_config_path() to _cloud_sdk.py

Source-Link: googleapis/synthtool@352b9d4
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-python:latest@sha256:3e3800bb100af5d7f9e810d48212b37812c1856d20ffeafb99ebe66461b61fc7

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

This reverts commit 9f52f665247ada59278ffddaaef3ada9e419154c.

* chore: Remove support for Python 3.6

* chore: Refresh system test creds.

* Revert "chore: Remove support for Python 3.6"

This reverts commit 3bfd7ba2679b613e1f02e8559a7ded4abda9ef23.

* Add deprecation notice for 3.6 and 3.7.

* chore: Refresh system test creds.

* Revert "Revert "chore: Remove support for Python 3.6""

This reverts commit c9f006b1e7e901f28f2dc52cb5377b17c89ff610.

* Revert "Add deprecation notice for 3.6 and 3.7."

This reverts commit fb6b619899db0229ffaf5d7889af0470cda35095.

* Bump mypy Python version.

* PR feedback.

The global variable [`_DEFAULT_TOKEN_LIFETIME_SECS`](https://togithub.com/googleapis/google-auth-library-python/blob/main/google/auth/impersonated_credentials.py#L40-L61) is set twice. Can we get rid of this duplicate?

see internal bug 448976223

TODO: 
 - [x] add test
 - [x] match the exception string so we don't catch unexpected cases

🤖 I have created a release *beep* *boop*
---


##
[2.42.1](googleapis/google-auth-library-python@v2.42.0...v2.42.1)
(2025-10-30)


### Bug Fixes

* Catch ValueError for json.loads()
([#1842](googleapis/google-auth-library-python#1842))
([b074cad](googleapis/google-auth-library-python@b074cad))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

This PR onboards `google-auth` library to the Librarian system.

Wait for
googleapis/google-auth-library-python#1819.

… the MWID/X.509 cert sources detected (#1848)

The Python SDK will use a hybrid approach for mTLS enablement:

- If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set
(either true or false), the SDK will respect that setting. This is
necessary for test scenarios and users who need to explicitly control
mTLS behavior.
- If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not
set, the SDK will automatically enable mTLS only if it detects Managed
Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF)
certificate sources. In other cases where the variable is not set, mTLS
will remain disabled.

** This change also adds the helper method `check_use_client_cert` and
it's unit test, which will be used for checking the criteria for setting
the mTLS to true
** This change is only for Auth-Library, other changes will be created
for Client-Library use-cases.

---------

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

… enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert sources detected (#1859)

Add public wrapper for check_use_client_cert which enables mTLS if
GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert
sources detected. Also, fix check_use_client_cert to return boolean
value.

Change #1848 added the check_use_client_cert method that helps know if
client cert should be used for mTLS connection. However, that was in a
private class, thus, created a public wrapper of the same function so
that it can be used by python Client Libraries. Also, updated
check_use_client_cert to return a boolean value instead of existing
string value for better readability and future scope.

---------

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>
Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

Librarian Version: v0.5.0
Language Image:
us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest
<details><summary>google-auth: 2.43.0</summary>

##
[2.43.0](googleapis/google-auth-library-python@v2.42.1...v2.43.0)
(2025-11-05)

### Features

* Add public wrapper for _mtls_helper.check_use_client_cert which
enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the
MWID/X.509 cert sources detected (#1859)
([1535eccb](googleapis/google-auth-library-python@1535eccb))

* Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the
MWID/X.509 cert sources detected (#1848)
([395e405b](googleapis/google-auth-library-python@395e405b))

* onboard `google-auth` to librarian (#1838)
([c503eaa5](googleapis/google-auth-library-python@c503eaa5))

</details>

Documenting Custom Credential Suppliers for:

1. Aws Workload.
2. Okta Workload.

The readme updates for these have already been made:
[Link](https://github.com/googleapis/google-auth-library-python/pull/1496/files)

---------

Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>
Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

…1855)

The `subprocess.run` command was using `.split()` which does not handle
quoted paths with spaces correctly. This would cause a
`FileNotFoundError` when the path to the executable contained spaces.

This change replaces `.split()` with `shlex.split()` to correctly parse
the command string.

A test case has been added to verify the fix and prevent regressions.

This was reported in b/237606033

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

#1849)

…d to ExternalAccountAuthorizedUser credentials

* Add support for OAuth 2.0 token revocation to the STS client, aligning
with the specification in RFC7009.

* A new revoke_token method is introduced, which makes a POST request to
a revocation endpoint. The underlying request handler has also been
updated to correctly process successful but empty HTTP responses, as
specified by the standard for revocation.

* Building on the STS client's new capabilities, this change exposes a
public revoke() method on the ExternalAccountAuthorizedUser credentials
class.

* This method encapsulates the logic for revoking the refresh token by
calling the underlying STS client's revoke_token function. It simplifies
the process for client applications, like gcloud, to revoke these
specific credentials without needing to interact directly with the STS
client.

* Unit tests are included to verify successful revocation and to ensure
appropriate errors are raised if required fields (like revoke_url) are
missing.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>
Co-authored-by: nbayati <99771966+nbayati@users.noreply.github.com>

Use mTLS/HTTPS when connecting to MDS

**Feature Gating**
The `GCE_METADATA_MTLS_MODE` environment variable is introduced, which
can be set to strict, none, or default.

The `should_use_mds_mtls` function determines whether to use mTLS based
on the environment variable and the existence of the certificate files in well-known location ((https://docs.cloud.google.com/compute/docs/metadata/overview#https-mds-certificates).

**Description of changes**
A custom `MdsMtlsAdapter` is implemented to handle the SSL context for mTLS.

MdsMtlsAdapter loads MDS mTLS certificates from well-known location.

MdsMtlsAdapter is mounted into the provided request.Session. 

**Behavior**
If mode == none: Continue to use HTTP.

If mode == default: Use HTTPS if certificates exist. If HTTPS/mTLS fails, falls back to HTTP. 

If mode == strict: Use HTTPS always, even if certificates don't exist (will result in error).

**Integrating with existing code**
compute_engine/_metadata.py:
- The metadata server URL construction is now dynamic, supporting both
http and https schemes based on whether mTLS is enabled.
- ping and get functions are updated to use mTLS when it's enabled.

GDC (Google Distributed Cloud) needs to support ECDSA-P384 keys for
compliance. This change creates an EsSigner and EsVerifier class that is
capable of supporting both ECDSA-P256 and ECDSA-P384 keys for backwards
compatibility. The EsSigner and EsVerifier classes are plumbed through
to the GDC service accounts and are used to both sign and verify JWTs.

This implementation was successfully tested against a GDC instance using
both ECDSA-P256 and ECDSA-P384 keys.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

…d files