diff --git a/assets b/assets
index 5eff3fc6..8e8a6814 160000
--- a/assets
+++ b/assets
@@ -1 +1 @@
-Subproject commit 5eff3fc6db5494ab34af67d66ea6bd51a8605fcc
+Subproject commit 8e8a68141a38b21fc8c343ec03306bb620468274
diff --git a/service/oauth/oauth.go b/service/oauth/oauth.go
index dcf56f2b..a15940e1 100644
--- a/service/oauth/oauth.go
+++ b/service/oauth/oauth.go
@@ -16,6 +16,7 @@ import (
 	"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
 	"github.com/cloudreve/Cloudreve/v4/pkg/util"
 	"github.com/gin-gonic/gin"
+	"github.com/samber/lo"
 )
 
 type (
@@ -90,6 +91,11 @@ func (s *GrantService) Get(c *gin.Context) (*GrantResponse, error) {
 		return nil, serializer.NewError(serializer.CodeParamErr, "Invalid scope requested", nil)
 	}
 
+	// Must have openid scope
+	if !lo.Contains(requestedScopes, types.ScopeOpenID) {
+		return nil, serializer.NewError(serializer.CodeParamErr, "openid scope required", nil)
+	}
+
 	// 3. Create/update grant
 	if err := oAuthClient.UpsertGrant(c, user.ID, app.ID, requestedScopes); err != nil {
 		return nil, serializer.NewError(serializer.CodeDBError, "Failed to create grant", err)