The current clone() implementation creates a brand-new, default ClientSession. This drops all customized connection-level configurations on the original transport, such as proxies, SSL/TLS contexts, and private CA certificates (which are configured on the underlying TCPConnector), along with session-level default headers, cookies, basic auth, and timeouts. This will cause requests to fail in secure enterprise environments requiring custom proxy or cert setups.

Done. I updated Request.clone() to fully reconstruct the underlying network connector (TCPConnector and UnixConnector) so that custom SSL contexts, IP bindings, and connection limits are preserved. I also made sure that all session-level defaults (including headers, cookies, basic auth, and custom timeouts) are completely mirrored in the cloned session.

nit: I still think a name other than clone should be considered. Gemini suggests _isolate() or _branch(). But this doesn't matter too much if it's internal

nit: It seems like _prepare_async_lookup_callable and _close_cloned_request would be a good fit for a context manager. That would let us encapsulate these three variables, and enforce automatic closing.

Gemini put this together:

@contextlib.asynccontextmanager
async def _managed_lookup_callable(request):
    """An async context manager that prepares a cloned lookup callable 
    and guarantees its transport is closed on exit.
    """
    lookup_callable, lookup_request, is_cloned = _prepare_async_lookup_callable(request)
    try:
        yield lookup_callable
    finally:
        await _close_cloned_request(lookup_request, is_cloned)


# ... Inside your class/function where _worker is defined:

async def _worker():
    try:
        async with _managed_lookup_callable(request) as lookup_callable:
            regional_access_boundary_info = (
                await credentials._lookup_regional_access_boundary(lookup_callable)
            )
    except Exception as e:
        if _helpers.is_logging_enabled(_LOGGER):
            _LOGGER.warning(
                "Failed regional access boundary lookup: %s", 
                e, 
                exc_info=True
            )
        regional_access_boundary_info = None

But this is just a suggestion that came to mind, I think it's fine to merge as-is too.

In the recent push, the regional access boundary check was updated to search for _clone(), and the modern transport aiohttp.py was updated accordingly. However, google/auth/transport/_aiohttp_requests.py was left with the public clone() method.

Because hasattr(base_callable, "_clone") evaluates to False on _aiohttp_requests.Request, it will completely skip cloning and silently fall back to the un-cloned session, re-introducing the original "Session is closed" background crash.

We should rename this method to _clone(self) (or add a private _clone alias pointing to clone for backward compatibility) and update its implementation to copy the connector configuration, default headers, cookies, auth, and timeouts just like aiohttp.py does.

Great catch. I missed updating the legacy transport in the previous commit. I've renamed the method to _clone() in _aiohttp_requests.py and updated its implementation to fully copy the ClientSession and TCPConnector configurations (headers, cookies, timeouts, trace configs, etc.) to mirror what we did in aiohttp.py. I also added the corresponding test coverage for it

The newly added cloning and close methods on the Request adapter in google/auth/transport/_aiohttp_requests.py currently have 0% test coverage.

We should add unit tests in tests_async/transport/test_aiohttp_requests.py to verify that _aiohttp_requests.Request.clone() and .close() work correctly, replicate the session configuration, and are idempotent.

Related to test coverate, I noticed today that the CI check for that is failing open.

@nbayati you can, try to run the check locally, so we don't have too much clean-up to do here when the CI issue is resolved

@lsirac Done!

@daniel-sanche Thanks for the heads-up. I ran the check locally and I'm adding unit tests to cover the missing paths.

On Windows systems, aiohttp.UnixConnector is not defined in the aiohttp namespace. Accessing it directly here via isinstance(orig_connector, aiohttp.UnixConnector) will raise an AttributeError and crash the application during any cloned transport invocation (such as asynchronous Regional Access Boundary refreshes), even if standard TCP connectors are used.

To fix this, access it safely using getattr as is done correctly in _aiohttp_requests.py:

elif getattr(aiohttp, "UnixConnector", None) and isinstance(
    orig_connector, getattr(aiohttp, "UnixConnector")
):

Done!

Copying the original connector's resolver via resolver=getattr(orig_connector, "_resolver", None) shares the exact same stateful DNS resolver instance between the original and cloned sessions.

When the background refresh worker finishes and closes the cloned transport, the cloned session closes its connector, terminating the shared resolver (e.g., in AsyncResolver, this cancels and clears the internal resolver reference). This permanently breaks the original/surviving session, causing subsequent foreground requests to fail with an AttributeError during DNS resolution.

To resolve this, avoid copying the resolver instance and let the cloned connector instantiate its own independent resolver.

Done!

The _clone() implementation explicitly checks only for standard TCPConnector and UnixConnector instances. If the original session is configured with a custom, proxy, or subclassed connector (such as corporate SOCKS or tunneling proxies), the check falls through and the cloned session is created with a default, direct-connection TCPConnector.

This silently drops the proxy/custom configuration and routes traffic directly over the public internet, which will fail or violate security constraints in enterprise/isolated cloud environments. We should either explicitly support proxy preservation or raise a clear transport exception if an unsupported custom connector is detected.

That's a really good point.

We can't really support proxy preservation because third-party aiohttp connectors have arbitrary, unknown constructor signatures (meaning we have no way to instantiate a fresh detached copy of them dynamically), and simply shallow-copying the existing connector is unsafe due to shared socket pools. This leaves us two options: fallback to re-using the customer transport and hope that we don't encounter the bug this PR is trying to fix, or raise the exception as you suggested and accept this as a limitation of RAB.

I've decided not to fallback to re-using the customer's transport if we can't clone it, because it's not just that the RAB call would fail, but also there's another risk: if the foreground task closes the session while the background worker is actively reading from it, the forceful socket truncation mid-flight can leave complex corporate proxy connections in a hung or corrupted state, which means that the affects won't be limited to our RAB calls. So I've added the else: raise exceptions.TransportError(...) block, as raising the error here is the safest path. The exception will trigger the 15-minute cooldown and allow the user's main request to proceed safely.

I thought about disabling RAB permanently if we can't clone the transport (thinking what's the point of entering cooldown if we're going to keep trying to clone it and fail), but decided against it. I realized that because credentials objects are frequently instantiated globally and shared across multiple different clients and API surfaces, there's a chance that the next call would be executed over entirely different transports, making the RAB call possible.