rmehta19
diff --git a/‎gapic-generator-java-pom-parent/pom.xml
Lines changed: 1 addition & 1 deletion b/‎gapic-generator-java-pom-parent/pom.xml
Lines changed: 1 addition & 1 deletion
diff --git a/‎gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Lines changed: 19 additions & 5 deletions b/‎gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Lines changed: 19 additions & 5 deletions
diff --git a/‎gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java
Lines changed: 56 additions & 0 deletions b/‎gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java
Lines changed: 56 additions & 0 deletions
@@ -27,7 +27,7 @@
         consistent across modules in this repository -->
     <javax.annotation-api.version>1.3.2</javax.annotation-api.version>
     <grpc.version>1.68.1</grpc.version>
-    <google.auth.version>1.29.1-SNAPSHOT</google.auth.version>
+    <google.auth.version>1.30.0</google.auth.version>
     <google.http-client.version>1.45.0</google.http-client.version>
     <gson.version>2.11.0</gson.version>
     <guava.version>33.3.1-jre</guava.version>
 
@@ -46,7 +46,8 @@
 import com.google.auth.ApiKeyCredentials;
 import com.google.auth.Credentials;
 import com.google.auth.oauth2.ComputeEngineCredentials;
-import com.google.auth.oauth2.S2A;
+import com.google.auth.oauth2.SecureSessionAgent;
+import com.google.auth.oauth2.SecureSessionAgentConfig;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
@@ -140,6 +141,7 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP
   @Nullable private final Boolean allowNonDefaultServiceAccount;
   @VisibleForTesting final ImmutableMap<String, ?> directPathServiceConfig;
   @Nullable private final MtlsProvider mtlsProvider;
+  @Nullable private final SecureSessionAgent s2aConfigProvider;
   @VisibleForTesting final Map<String, String> headersWithDuplicatesRemoved = new HashMap<>();
 
   @Nullable
@@ -152,6 +154,7 @@ private InstantiatingGrpcChannelProvider(Builder builder) {
     this.endpoint = builder.endpoint;
     this.useS2A = builder.useS2A;
     this.mtlsProvider = builder.mtlsProvider;
+    this.s2aConfigProvider = builder.s2aConfigProvider;
     this.envProvider = builder.envProvider;
     this.interceptorProvider = builder.interceptorProvider;
     this.maxInboundMessageSize = builder.maxInboundMessageSize;
@@ -492,11 +495,14 @@ ChannelCredentials createPlaintextToS2AChannelCredentials(String plaintextAddres
    *     mtlsEndpoint.
    */
   ChannelCredentials createS2ASecuredChannelCredentials() {
-    S2A s2aUtils = S2A.newBuilder().build();
-    String plaintextAddress = s2aUtils.getPlaintextS2AAddress();
-    String mtlsAddress = s2aUtils.getMtlsS2AAddress();
+    SecureSessionAgentConfig config = s2aConfigProvider.getConfig();
+    String plaintextAddress = config.getPlaintextAddress();
+    String mtlsAddress = config.getMtlsAddress();
     if (Strings.isNullOrEmpty(mtlsAddress)) {
       // Fallback to plaintext connection to S2A.
+      LOG.log(
+          Level.INFO,
+          "Cannot establish an mTLS connection to S2A because autoconfig endpoint did not return a mtls address to reach S2A.");
       return createPlaintextToS2AChannelCredentials(plaintextAddress);
     }
     // Currently, MTLS to MDS is only available on GCE. See:
@@ -523,7 +529,7 @@ ChannelCredentials createS2ASecuredChannelCredentials() {
       // Fallback to plaintext-to-S2A connection if MTLS-MDS creds do not exist.
       LOG.log(
           Level.INFO,
-          "Cannot establish an mTLS connection to S2A  MTLS to MDS credentials do not exist on filesystem, falling back to plaintext connection to S2A");
+          "Cannot establish an mTLS connection to S2A because MTLS to MDS credentials do not exist on filesystem, falling back to plaintext connection to S2A");
       return createPlaintextToS2AChannelCredentials(plaintextAddress);
     }
   }
@@ -739,6 +745,7 @@ public static final class Builder {
     private String endpoint;
     private boolean useS2A;
     private EnvironmentProvider envProvider;
+    private SecureSessionAgent s2aConfigProvider = SecureSessionAgent.create();
     private MtlsProvider mtlsProvider = new MtlsProvider();
     @Nullable private GrpcInterceptorProvider interceptorProvider;
     @Nullable private Integer maxInboundMessageSize;
@@ -783,6 +790,7 @@ private Builder(InstantiatingGrpcChannelProvider provider) {
       this.allowNonDefaultServiceAccount = provider.allowNonDefaultServiceAccount;
       this.directPathServiceConfig = provider.directPathServiceConfig;
       this.mtlsProvider = provider.mtlsProvider;
+      this.s2aConfigProvider = provider.s2aConfigProvider;
     }
 
     /**
@@ -846,6 +854,12 @@ Builder setMtlsProvider(MtlsProvider mtlsProvider) {
       return this;
     }
 
+    @VisibleForTesting
+    Builder setS2AConfigProvider(SecureSessionAgent s2aConfigProvider) {
+      this.s2aConfigProvider = s2aConfigProvider;
+      return this;
+    }
+
     /**
      * Sets the GrpcInterceptorProvider for this TransportChannelProvider.
      *
 
@@ -51,6 +51,8 @@
 import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.oauth2.CloudShellCredentials;
 import com.google.auth.oauth2.ComputeEngineCredentials;
+import com.google.auth.oauth2.SecureSessionAgent;
+import com.google.auth.oauth2.SecureSessionAgentConfig;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.truth.Truth;
@@ -1042,6 +1044,60 @@ void createMtlsToS2AChannelCredentials_success() throws IOException {
         TlsChannelCredentials.class);
   }
 
+  @Test
+  void createS2ASecuredChannelCredentials_bothS2AAddressesNull_returnsNull() {
+    SecureSessionAgent s2aConfigProvider = Mockito.mock(SecureSessionAgent.class);
+    SecureSessionAgentConfig config = SecureSessionAgentConfig.createBuilder().build();
+    Mockito.when(s2aConfigProvider.getConfig()).thenReturn(config);
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setS2AConfigProvider(s2aConfigProvider)
+            .build();
+    assertThat(provider.createS2ASecuredChannelCredentials()).isNull();
+  }
+
+  @Test
+  void
+      createS2ASecuredChannelCredentials_mtlsS2AAddressNull_returnsPlaintextToS2AS2AChannelCredentials() {
+    SecureSessionAgent s2aConfigProvider = Mockito.mock(SecureSessionAgent.class);
+    SecureSessionAgentConfig config =
+        SecureSessionAgentConfig.createBuilder().setPlaintextAddress("localhost:8080").build();
+    Mockito.when(s2aConfigProvider.getConfig()).thenReturn(config);
+    FakeLogHandler logHandler = new FakeLogHandler();
+    InstantiatingGrpcChannelProvider.LOG.addHandler(logHandler);
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setS2AConfigProvider(s2aConfigProvider)
+            .build();
+    assertThat(provider.createS2ASecuredChannelCredentials()).isNotNull();
+    assertThat(logHandler.getAllMessages())
+        .contains(
+            "Cannot establish an mTLS connection to S2A because autoconfig endpoint did not return a mtls address to reach S2A.");
+    InstantiatingGrpcChannelProvider.LOG.removeHandler(logHandler);
+  }
+
+  @Test
+  void createS2ASecuredChannelCredentials_returnsPlaintextToS2AS2AChannelCredentials() {
+    SecureSessionAgent s2aConfigProvider = Mockito.mock(SecureSessionAgent.class);
+    SecureSessionAgentConfig config =
+        SecureSessionAgentConfig.createBuilder()
+            .setMtlsAddress("localhost:8080")
+            .setPlaintextAddress("localhost:8080")
+            .build();
+    Mockito.when(s2aConfigProvider.getConfig()).thenReturn(config);
+    FakeLogHandler logHandler = new FakeLogHandler();
+    InstantiatingGrpcChannelProvider.LOG.addHandler(logHandler);
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setS2AConfigProvider(s2aConfigProvider)
+            .build();
+    assertThat(provider.createS2ASecuredChannelCredentials()).isNotNull();
+    assertThat(logHandler.getAllMessages())
+        .contains(
+            "Cannot establish an mTLS connection to S2A because MTLS to MDS credentials do not exist on filesystem, falling back to plaintext connection to S2A");
+    InstantiatingGrpcChannelProvider.LOG.removeHandler(logHandler);
+  }
+
   private static class FakeLogHandler extends Handler {
 
     List<LogRecord> records = new ArrayList<>();