5 files changed, 23 insertions, 22 deletions
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index 7a6aa66670..0154d8ac2a 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -243,8 +243,12 @@ const char *grpc_auth_context_peer_identity_property_name(
 /* Returns 1 if the peer is authenticated, 0 otherwise. */
 int grpc_auth_context_peer_is_authenticated(const grpc_auth_context *ctx);
 
-/* Gets the auth context from the call. */
-const grpc_auth_context *grpc_call_auth_context(grpc_call *call);
+/* Gets the auth context from the call. Caller needs to call
+   grpc_auth_context_release on the returned context. */
+grpc_auth_context *grpc_call_auth_context(grpc_call *call);
+
+/* Releases the auth context returned from grpc_call_auth_context. */
+void grpc_auth_context_release(grpc_auth_context *context);
 
 #ifdef __cplusplus
 }
diff --git a/src/core/security/client_auth_filter.c b/src/core/security/client_auth_filter.c
index 16611ffae2..632a742250 100644
--- a/src/core/security/client_auth_filter.c
+++ b/src/core/security/client_auth_filter.c
@@ -212,15 +212,9 @@ static void auth_start_transport_op(grpc_call_element *elem,
           grpc_client_security_context_destroy;
     }
     sec_ctx = op->context[GRPC_CONTEXT_SECURITY].value;
-    if (sec_ctx->auth_context == NULL) {
-      sec_ctx->auth_context =
-          GRPC_AUTH_CONTEXT_REF(chand->security_connector->base.auth_context,
-                                "client_auth_filter");
-    } else {
-      sec_ctx->auth_context->chained =
-          GRPC_AUTH_CONTEXT_REF(chand->security_connector->base.auth_context,
-                                "client_auth_filter chained");
-    }
+    GRPC_AUTH_CONTEXT_UNREF(sec_ctx->auth_context, "client auth filter");
+    sec_ctx->auth_context = GRPC_AUTH_CONTEXT_REF(
+        chand->security_connector->base.auth_context, "client_auth_filter");
   }
 
   if (op->bind_pollset) {
diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c
index 4d56549f9b..8ce7876bd8 100644
--- a/src/core/security/security_context.c
+++ b/src/core/security/security_context.c
@@ -69,12 +69,20 @@ grpc_call_error grpc_call_set_credentials(grpc_call *call,
   return GRPC_CALL_OK;
 }
 
-const grpc_auth_context *grpc_call_auth_context(grpc_call *call) {
+grpc_auth_context *grpc_call_auth_context(grpc_call *call) {
   void *sec_ctx = grpc_call_context_get(call, GRPC_CONTEXT_SECURITY);
   if (sec_ctx == NULL) return NULL;
   return grpc_call_is_client(call)
-             ? ((grpc_client_security_context *)sec_ctx)->auth_context
-             : ((grpc_server_security_context *)sec_ctx)->auth_context;
+             ? GRPC_AUTH_CONTEXT_REF(
+                   ((grpc_client_security_context *)sec_ctx)->auth_context,
+                   "grpc_call_auth_context client")
+             : GRPC_AUTH_CONTEXT_REF(
+                   ((grpc_server_security_context *)sec_ctx)->auth_context,
+                   "grpc_call_auth_context server");
+}
+
+void grpc_auth_context_release(grpc_auth_context *context) {
+  GRPC_AUTH_CONTEXT_UNREF(context, "grpc_auth_context_unref");
 }
 
 /* --- grpc_client_security_context --- */
diff --git a/src/cpp/common/secure_auth_context.cc b/src/cpp/common/secure_auth_context.cc
index d3606af0f6..4513723653 100644
--- a/src/cpp/common/secure_auth_context.cc
+++ b/src/cpp/common/secure_auth_context.cc
@@ -33,16 +33,13 @@
 
 #include "src/cpp/common/secure_auth_context.h"
 
-#include "src/core/security/security_context.h"
+#include <grpc/grpc_security.h>
 
 namespace grpc {
 
-SecureAuthContext::SecureAuthContext(grpc_auth_context* ctx)
-    : ctx_(GRPC_AUTH_CONTEXT_REF(ctx, "SecureAuthContext")) {}
+SecureAuthContext::SecureAuthContext(grpc_auth_context* ctx) : ctx_(ctx) {}
 
-SecureAuthContext::~SecureAuthContext() {
-  GRPC_AUTH_CONTEXT_UNREF(ctx_, "SecureAuthContext");
-}
+SecureAuthContext::~SecureAuthContext() { grpc_auth_context_release(ctx_); }
 
 std::vector<grpc::string> SecureAuthContext::GetPeerIdentity() const {
   if (!ctx_) {
diff --git a/test/cpp/common/secure_auth_context_test.cc b/test/cpp/common/secure_auth_context_test.cc
index e65a257803..6f8fb8f2cb 100644
--- a/test/cpp/common/secure_auth_context_test.cc
+++ b/test/cpp/common/secure_auth_context_test.cc
@@ -66,8 +66,6 @@ TEST_F(SecureAuthContextTest, Properties) {
   std::vector<grpc::string> bar = context.FindPropertyValues("foo");
   EXPECT_EQ(1, bar.size());
   EXPECT_EQ("bar", bar[0]);
-
-  GRPC_AUTH_CONTEXT_UNREF(ctx, "SecureAuthContextTest");
 }
 
 }  // namespace