Is there an existing issue for this?

• There is no existing issue for this bug

Is this happening on an up to date version of Incus?

• This is happening on a supported version of Incus

Incus system details

config:
  oidc.audience: "my_audience"
  oidc.claim: email
  oidc.client.id: "my_client_id"
  oidc.issuer: https://idp.example.com
  oidc.scopes: openid, profile, email, offline_access
  os_name: IncusOS
  os_version: "202511100256"
  server_version: "6.18"

Instance details

No response

Instance log

No response

Current behavior

It appears that oidc.scopes is ignored. When debugging https://discuss.linuxcontainers.org/t/need-help-incus-oidc-with-zitadel/19812 I was able to resolve the OIDC login issue by setting oidc.claim to sub, a field that's is always returned. Then it appeared to me that the configured oidc.scopes are not forwarded in the request to the identity provider.

curl -v https://incus.example.com/oidc/login
...
< location: https://idp.example.com/oauth/v2/authorize?audience=my_audience&client_id=my_client_id&code_challenge=my_challenge&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fincus.example.com%2Foidc%2Fcallback&response_type=code&scope=openid+offline_access&state=some_state

Expected behavior

Incus should honor oidc.scopes and pass it on to the identity provider.

Steps to reproduce

1. Configure OIDC and set oidc.scopes
2. Click the 'Login with SSO' button on Incus landing page
3. Check what URL the browser is forwarded to from /oidc/login. It should include oidc.scopes as configured.