The Fix
Upgrade to version 0.15.0 or later.
Based on closed encode/httpx issue #1176 · PR/commit linked
Production note: This tends to surface only under concurrency. Reproduce with load tests and watch for lock contention/cancellation paths.
@@ -724,6 +724,55 @@ class MyCustomAuth(httpx.Auth):
```
+If you _do_ need to perform I/O other than HTTP requests, such as accessing a disk-based cache, or you need to use concurrency primitives, such as locks, then you should override `.sync_auth_flow()` and `.async_auth_flow()` (instead of `.auth_flow()`). The former will be used by `httpx.Client`, while the latter will be used by `httpx.AsyncClient`.
+
+```python
repro.py
from azure.identity.aio import EnvironmentCredential
scopes = ...
async with EnvironmentCredential() as credential:
token = await credential.get_token(*scopes)
async with httpx.AsyncClient(auth=BearerAuth(token.token)):
...
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.15.0 or later.\nWhen NOT to use: This fix is not suitable for synchronous-only authentication implementations.\n\n
Why This Fix Works in Production
- Trigger: * Doesn't allow providing both sync and async implementations, so most likely a no-no.
- Mechanism: Adds support for sync-specific or async-specific auth flows in httpx, allowing for non-blocking I/O operations in authentication.
- Why the fix works: Adds support for sync-specific or async-specific auth flows in httpx, allowing for non-blocking I/O operations in authentication. (first fixed release: 0.15.0).
Production impact:
- If left unfixed, failures can be intermittent under concurrency (hard to reproduce; shows up as sporadic 5xx/timeouts).
Why This Breaks in Prod
- Production symptom (often without a traceback): * Doesn't allow providing both sync and async implementations, so most likely a no-no.
Proof / Evidence
- GitHub issue: #1176
- Fix PR: https://github.com/encode/httpx/pull/1217
- First fixed release: 0.15.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.58
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Closing since from the information provided, I think my suggestion above should solve your use case. If it doesn't, feel free to reach back!”
“Now, another option: "do nothing"”
“Just one snippet example: await self._request_token() is actually a pretty complex endpoint request, but just wanted to give an example here.”
“The locking around token acquiry is a really good example case, yup.”
Failure Signature (Search String)
- * Doesn't allow providing both sync and async implementations, so most likely a no-no.
- * Transparent to the user: authors can add async support without requiring the user to change their code.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
* Doesn't allow providing both sync and async implementations, so most likely a no-no.
* Transparent to the user: authors can add async support without requiring the user to change their code.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
* Doesn't allow providing both sync and async implementations, so most likely a no-no.
* Transparent to the user: authors can add async support without requiring the user to change their code.
Minimal Reproduction
repro.py
from azure.identity.aio import EnvironmentCredential
scopes = ...
async with EnvironmentCredential() as credential:
token = await credential.get_token(*scopes)
async with httpx.AsyncClient(auth=BearerAuth(token.token)):
...
What Broke
Users cannot implement asynchronous authentication, leading to blocking calls and performance issues.
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.15.0 or later.
When NOT to use: This fix is not suitable for synchronous-only authentication implementations.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/1217
First fixed release: 0.15.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix is not suitable for synchronous-only authentication implementations.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a stress test that runs high-concurrency workloads and fails on thread dumps / blocked locks.
- Enable watchdog dumps in prod (faulthandler, thread dump endpoint) to capture deadlocks quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.15.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.