From 31a8a11f1bed32a0839545274770582377e46d91 Mon Sep 17 00:00:00 2001
From: Jan Eitzinger <jan@moebiusband.org>
Date: Wed, 1 Apr 2026 12:36:37 +0200
Subject: [PATCH] fix: Always request oidc roles from token

Entire-Checkpoint: bfdbffd7aae0
---
 internal/auth/oidc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index bb4b5d95..2786c09a 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -79,7 +79,7 @@ func NewOIDC(a *Authentication) *OIDC {
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "profile"},
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "roles"},
 	}
 
 	oa := &OIDC{provider: provider, client: client, clientID: clientID, authentication: a}