diff --git a/src/libsync/opencloudtheme.cpp b/src/libsync/opencloudtheme.cpp
index 4da2e9e48..44e8712af 100644
--- a/src/libsync/opencloudtheme.cpp
+++ b/src/libsync/opencloudtheme.cpp
@@ -50,4 +50,12 @@ QmlButtonColor OpenCloudTheme::secondaryButtonColor() const
 {
     return {"#CA8DF5", "#19353F", "#B0B0B0"};
 }
+
+QString OpenCloudTheme::openIdConnectScopes() const
+{
+    // Include "groups" so IDPs whose group claim is scope-gated (Authelia,
+    // default-config Keycloak, Authentik) emit it, enabling server-side
+    // role mapping via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM. See issue #217.
+    return QStringLiteral("openid offline_access email profile groups");
+}
 }
diff --git a/src/libsync/opencloudtheme.h b/src/libsync/opencloudtheme.h
index f8667142e..111429bc5 100644
--- a/src/libsync/opencloudtheme.h
+++ b/src/libsync/opencloudtheme.h
@@ -27,5 +27,6 @@ class OpenCloudTheme : public Theme
     QIcon wizardHeaderLogo() const override;
     QmlButtonColor primaryButtonColor() const override;
     QmlButtonColor secondaryButtonColor() const override;
+    QString openIdConnectScopes() const override;
 };
 }