Bug: OAuth scopes missing for GoogleAuth for Vertex AI service account auth

[sauravhiremath]

Description

Problem

When using Google Vertex AI with a service account (GOOGLE_APPLICATION_CREDENTIALS pointing to a service account JSON), the custom fetch handler in provider.ts fails with:

invalid_scope: Invalid OAuth scope or ID token audience provided

This happens because new GoogleAuth() is called without specifying OAuth scopes.

Service account credentials require explicit scopes to obtain an access token — unlike user credentials (from gcloud auth application-default login) which have scopes embedded in the refresh token and work without this argument.

Plugins

No response

OpenCode version

1.2.10

Steps to reproduce

1. Set up Google Cloud service account credentials:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GOOGLE_CLOUD_PROJECT="your-gcp-project-id"

2. Configure a google-vertex provider model in opencode.json:

{
  "provider": {
    "google-vertex": {
      "models": {
        "zai-org/glm-5-maas": {
          "name": "GLM-5"
        }
      }
    }
  }
}

3. Run any prompt using the model:
   opencode run "hello" --model google-vertex/zai-org/glm-5-maas
4. Observe error:
   invalid_scope: Invalid OAuth scope or ID token audience provided

---

Note: This does not reproduce if you authenticated via gcloud auth application-default login (user credentials). Only service account JSON auth is affected

Screenshot and/or share link

No response

Operating System

macOS 15.7.3 (Sequoia)

Terminal

iTerm2

[sauravhiremath]

Opened a PR for the fix here - #15110

[sauravhiremath]

@thdxr can u take a look pls?