From 1872b6fbd05bd650cdfc3f857648979f1b008b7e Mon Sep 17 00:00:00 2001
From: Robert Dailey <git@rdailey.me>
Date: Fri, 21 Nov 2025 22:32:13 -0600
Subject: [PATCH] fix: add groups scope to OAuth2 OpenID Connect configuration

The groups scope is required for proper role-based access control (RBAC)
with OIDC providers like Authelia, Keycloak, and Authentik. Without it,
these providers cannot return group membership claims in the UserInfo
response, preventing applications from implementing proper authorization.

This change adds "groups" to the oauth2_openid_scope string resource,
enabling OIDC providers to return group information when supported.
The change is backward compatible as providers ignore unsupported scopes
per the OIDC specification.
---
 opencloudApp/src/main/res/values/setup.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/opencloudApp/src/main/res/values/setup.xml b/opencloudApp/src/main/res/values/setup.xml
index 00044de80..3263056df 100644
--- a/opencloudApp/src/main/res/values/setup.xml
+++ b/opencloudApp/src/main/res/values/setup.xml
@@ -89,7 +89,7 @@
     <string name="oauth2_redirect_uri_scheme">oc</string>
     <string name="oauth2_redirect_uri_host">android.opencloud.eu</string>
     <string name="oauth2_redirect_uri_path"></string>
-    <string name="oauth2_openid_scope">openid offline_access email profile</string>
+    <string name="oauth2_openid_scope">openid offline_access email profile groups</string>
     <string name="oauth2_openid_prompt">select_account consent</string>
 
     <!-- values that should be provided by openCloud server -->