fix(theme): request 'groups' OIDC scope in OpenCloud theme

[KaroUniform]

Summary

Override openIdConnectScopes() in OpenCloudTheme to request the groups scope alongside the default openid offline_access email profile set. Base Theme::openIdConnectScopes() is unchanged, so the ownCloud-branded code path keeps its historical defaults.

Why

Stopgap for our drive.karouniform.xyz setup (OpenCloud 7.0.0 + Authelia 4.39.19, role mapping via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups).

Without the groups scope in the desktop's OAuth request, Authelia (and default Keycloak / Authentik) won't emit the groups claim — server-side role mapping then fails with:

proxy: "no roles in user claims" — Error mapping role names to role ids

The login dies on the post-OAuth user-info step with "Failed to get user info from server".

Web login works because the OpenCloud server's OC_OIDC_CLIENT_SCOPES env is honoured for the web frontend, but the desktop client hardcodes its own scope list and ignores the server.

Tradeoffs

• IDPs that reject unknown scopes (some older Auth0 setups) will break for us — we accept this since our IDP is Authelia and the upstream architectural fix (opencloud-eu/desktop#847) isn't merging soon.
• This is NOT intended for upstreaming to opencloud-eu/desktop — the maintainer (@kaivol) explicitly rejects hardcoded scopes in #217. The right long-term fix is webfinger-based discovery, see PR #847.

References

• Local issue draft: ~/opencloud/desktop-issue-001-oidc-scopes.md
• Upstream issue (98 comments): opencloud-eu/desktop#217
• Upstream architectural fix in progress: opencloud-eu/desktop#847 by @kaivol
• ADR: opencloud-eu/opencloud/docs/adr/0003-oidc-client-config-discovery.md

Test plan

• Build locally on macOS (Qt6 + CMake)
• Reproduce: log in with unmodified upstream binary against drive.karouniform.xyz → confirm "Failed to get user info from server"
• Apply this branch's build, log in → expect success with admin role visible for user in admins Authelia group
• Cross-check with user in users group only → maps to user role, not admin

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes OAuth authorization scope for the OpenCloud theme only; IDPs that reject unknown scopes could break login, while fixing group-claim-dependent role mapping.

Overview
OpenCloud-branded desktop OAuth now requests the groups scope in addition to the default openid offline_access email profile set, via a new OpenCloudTheme::openIdConnectScopes() override.

That lets scope-gated identity providers (e.g. Authelia, default Keycloak/Authentik) include a groups claim so OpenCloud can map roles server-side. Without it, desktop login can fail after OAuth with missing roles in user claims. The base Theme default is unchanged, so other themes keep the previous scope list.

^{Reviewed by Cursor Bugbot for commit 3b82d48. Bugbot is set up for automated code reviews on this repo. Configure here.}