fix(auth): include GoogleAdc in token refresh match arm (#2486)

vennemp · claude · tusharmath · web-flow · commit c0d8f9feeb7b · 2026-03-06T12:37:53.000Z
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: Tushar Mathur &lt;tusharmath@gmail.com&gt;
Co-authored-by: Amit Singh &lt;amitksingh1490@gmail.com&gt;
diff --git a/crates/forge_infra/src/auth/strategy.rs b/crates/forge_infra/src/auth/strategy.rs
@@ -383,7 +383,10 @@ impl AuthStrategy for GoogleAdcStrategy {
                 // authentication This ensures the user has run 'gcloud auth
                 // application-default login'
                 use google_cloud_auth::credentials::Builder;
+                const VERTEX_AI_SCOPES: &[&str] =
+                    &["https://www.googleapis.com/auth/cloud-platform"];
                 let credentials = Builder::default()
+                    .with_scopes(VERTEX_AI_SCOPES.iter().map(|s| s.to_string()))
                     .build_access_token_credentials()
                     .map_err(|e| {
                         AuthError::CompletionFailed(format!(
@@ -397,7 +400,7 @@ impl AuthStrategy for GoogleAdcStrategy {
                     .await
                     .map_err(|e| {
                         AuthError::CompletionFailed(format!(
-                            "{e}. Please run 'gcloud auth application-default login' to set up credentials."
+                            "Failed to obtain access token: {e}. Your ADC credentials may be expired — run 'gcloud auth application-default login' to re-authenticate."
                         ))
                     })?;
 
@@ -415,10 +418,13 @@ impl AuthStrategy for GoogleAdcStrategy {
         }
     }
 
-    async fn refresh(&self, _credential: &AuthCredential) -> anyhow::Result<AuthCredential> {
+    async fn refresh(&self, credential: &AuthCredential) -> anyhow::Result<AuthCredential> {
         // Google ADC handles token refresh automatically
         // We just need to get a fresh token using the Builder API
+        // Vertex AI requires the cloud-platform scope
+        const VERTEX_AI_SCOPES: &[&str] = &["https://www.googleapis.com/auth/cloud-platform"];
         let credentials = Builder::default()
+            .with_scopes(VERTEX_AI_SCOPES.iter().map(|s| s.to_string()))
             .build_access_token_credentials()
             .map_err(|e| {
                 AuthError::RefreshFailed(format!(
@@ -427,13 +433,16 @@ impl AuthStrategy for GoogleAdcStrategy {
             })?;
 
         let access_token = credentials.access_token().await.map_err(|e| {
-            AuthError::RefreshFailed(format!("Failed to refresh Google access token: {e}"))
+            AuthError::RefreshFailed(format!(
+                "Failed to refresh Google access token: {e}. Your ADC credentials may be expired — run 'gcloud auth application-default login' to re-authenticate."
+            ))
         })?;
 
         Ok(AuthCredential::new_google_adc(
             self.provider_id.clone(),
             ApiKey::from(access_token.token),
-        ))
+        )
+        .url_params(credential.url_params.clone()))
     }
 }
 
diff --git a/crates/forge_services/src/provider_auth.rs b/crates/forge_services/src/provider_auth.rs
@@ -86,9 +86,9 @@ where
         let auth_method = match &auth_context_response {
             AuthContextResponse::ApiKey(response) => {
                 // Check if provider supports Google ADC and if it's the Google ADC marker
-                if provider_id == forge_domain::ProviderId::VERTEX_AI
-                    && response.response.api_key.as_ref() == "google_adc_marker"
-                {
+                let is_vertex_provider = provider_id == forge_domain::ProviderId::VERTEX_AI
+                    || provider_id == forge_domain::ProviderId::VERTEX_AI_ANTHROPIC;
+                if is_vertex_provider && response.response.api_key.as_ref() == "google_adc_marker" {
                     // Vertex AI uses Google ADC
                     forge_domain::AuthMethod::google_adc()
                 } else {
@@ -151,7 +151,8 @@ where
                     match auth_method {
                         AuthMethod::OAuthDevice(_)
                         | AuthMethod::OAuthCode(_)
-                        | AuthMethod::CodexDevice(_) => {
+                        | AuthMethod::CodexDevice(_)
+                        | AuthMethod::GoogleAdc => {
                             // Get existing credential
                             let existing_credential =
                                 self.infra.get_credential(&provider.id).await?.ok_or_else(
