diff --git a/README.md b/README.md
index 3110a60..572d849 100644
--- a/README.md
+++ b/README.md
@@ -154,6 +154,7 @@ services:
       # - OIDC_ONLY=false # Set to true to disable local password auth entirely (SSO only)
       # - OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
       # - OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
+      # - OIDC_SCOPE=openid email profile groups # Space-separated OIDC scopes to request (must include scopes for any claim used by OIDC_ADMIN_CLAIM)
       # - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik)
       # - DEMO_MODE=false # Enable demo mode (resets data hourly)
       # - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
@@ -289,6 +290,9 @@ trek.yourdomain.com {
 | `OIDC_CLIENT_SECRET` | OIDC client secret | — |
 | `OIDC_DISPLAY_NAME` | Label shown on the SSO login button | `SSO` |
 | `OIDC_ONLY` | Disable local password auth entirely (first SSO login becomes admin) | `false` |
+| `OIDC_ADMIN_CLAIM` | OIDC claim used to identify admin users | — |
+| `OIDC_ADMIN_VALUE` | Value of the OIDC claim that grants admin role | — |
+| `OIDC_SCOPE` | Space-separated OIDC scopes to request. Must include scopes for any claim used by `OIDC_ADMIN_CLAIM` (e.g. add `groups` for group-based admin mapping) | `openid email profile groups` |
 | `OIDC_DISCOVERY_URL` | Override the auto-constructed OIDC discovery endpoint. Useful for providers that expose it at a non-standard path (e.g. Authentik: `https://auth.example.com/application/o/trek/.well-known/openid-configuration`) | — |
 | **Initial Setup** | | |
 | `ADMIN_EMAIL` | Email for the first admin account created on initial boot. Must be set together with `ADMIN_PASSWORD`. If either is omitted a random password is generated and printed to the server log. Has no effect once any user exists. | `admin@trek.local` |
diff --git a/chart/values.yaml b/chart/values.yaml
index bee6c50..471dafa 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -24,6 +24,8 @@ env:
   # Set to "false" to allow session cookies over plain HTTP (e.g. no ingress TLS). Not recommended for production.
   # OIDC_DISCOVERY_URL: ""
   # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik).
+  # OIDC_SCOPE: "openid email profile groups"
+  # Space-separated OIDC scopes to request. Must include scopes for any claim used by OIDC_ADMIN_CLAIM.
 
 
 # Secret environment variables stored in a Kubernetes Secret.
diff --git a/docker-compose.yml b/docker-compose.yml
index 397f7ef..768f73f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,6 +31,9 @@ services:
 #      - OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
 #      - OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
 #      - OIDC_ONLY=false # Set true to disable local password auth entirely (SSO only)
+#      - OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
+#      - OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
+#      - OIDC_SCOPE=openid email profile groups # Space-separated OIDC scopes to request (must include scopes for any claim used by OIDC_ADMIN_CLAIM)
 #      - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik)
 #      - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
 #      - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
diff --git a/server/.env.example b/server/.env.example
index 049468c..0e1f64d 100644
--- a/server/.env.example
+++ b/server/.env.example
@@ -24,6 +24,7 @@ OIDC_ONLY=true # Disable local password auth entirely (SSO only)
 OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
 OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
 OIDC_DISCOVERY_URL= # Override the auto-constructed OIDC discovery endpoint. Useful for providers (e.g. Authentik) that expose it at a non-standard path. Example: https://auth.example.com/application/o/trek/.well-known/openid-configuration
+OIDC_SCOPE=openid email profile groups # Space-separated OIDC scopes to request (must include scopes for any claim used by OIDC_ADMIN_CLAIM)
 
 DEMO_MODE=false # Demo mode - resets data hourly
 
diff --git a/server/src/routes/oidc.ts b/server/src/routes/oidc.ts
index 8ba8c23..77b9b94 100644
--- a/server/src/routes/oidc.ts
+++ b/server/src/routes/oidc.ts
@@ -138,7 +138,7 @@ router.get('/login', async (req: Request, res: Response) => {
       response_type: 'code',
       client_id: config.clientId,
       redirect_uri: redirectUri,
-      scope: 'openid email profile',
+      scope: process.env.OIDC_SCOPE || 'openid email profile groups',
       state,
     });