diff --git a/.vscode/settings.json b/.vscode/settings.json
index dc1a054c..75e3a447 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -8,7 +8,7 @@
     "vue"
   ],
   "editor.codeActionsOnSave": {
-    "source.fixAll.eslint": true
+    "source.fixAll.eslint": "explicit"
   },
   "i18n-ally.localesPaths": [
     "server/locales"
diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js
index 3b667709..857af9c8 100644
--- a/server/modules/authentication/oidc/authentication.js
+++ b/server/modules/authentication/oidc/authentication.js
@@ -1,5 +1,6 @@
 const _ = require('lodash')
 const { verifyJwt } = require('../../../helpers/jwt')
+
 /* global WIKI */
 
 // ------------------------------------
@@ -19,7 +20,7 @@ module.exports = {
         clientID: conf.clientId,
         clientSecret: conf.clientSecret,
         callbackURL: conf.callbackURL,
-        scope: conf.scope,
+        scope: 'profile email ' + conf.scope,
         passReqToCallback: true,
         skipUserProfile: conf.skipUserProfile,
         acrValues: conf.acrValues
diff --git a/server/modules/authentication/oidc/definition.yml b/server/modules/authentication/oidc/definition.yml
index 29f53af5..46801566 100644
--- a/server/modules/authentication/oidc/definition.yml
+++ b/server/modules/authentication/oidc/definition.yml
@@ -7,51 +7,48 @@ color: blue-grey darken-2
 website: http://openid.net/connect/
 isAvailable: true
 useForm: false
-scopes:
-  - openid
-  - profile
-  - email
 props:
-  clientId:
-    type: String
-    title: Client ID
-    hint: Application Client ID
-    order: 1
-  clientSecret:
-    type: String
-    title: Client Secret
-    hint: Application Client Secret
-    order: 2
   wellKnownURL:
     type: String
     title: Well-Known Configuration URL
     hint: The Well-Known configuration Endpoint URL (e.g. https://provider/.well-known/openid-configuration)
-    order: 3
+    order: 1
   authorizationURL:
     type: String
     title: Authorization Endpoint URL
     hint: Application Authorization Endpoint URL (overrides value from well-known URL if set)
-    order: 4
+    order: 2
   tokenURL:
     type: String
     title: Token Endpoint URL
     hint: Application Token Endpoint URL (overrides value from well-known URL if set)
-    order: 5
+    order: 3
   userInfoURL:
     type: String
     title: User Info Endpoint URL
     hint: User Info Endpoint URL (overrides value from well-known URL if set)
-    order: 6
-  skipUserProfile:
-    type: Boolean
-    default: false
-    title: Skip User Profile
-    hint: Skips call to the OIDC UserInfo endpoint
-    order: 7
+    order: 4
   issuer:
     type: String
-    title: Issuer
+    title: Issuer URL
     hint: Issuer URL (overrides value from well-known URL if set)
+    order: 5
+  clientId:
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 6
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 7
+  userIdClaim:
+    type: String
+    title: User Id Claim
+    hint: Field containing the unique user identifier
+    default: sub
+    maxWidth: 500
     order: 8
   emailClaim:
     type: String
@@ -64,35 +61,47 @@ props:
     type: String
     title: Display Name Claim
     hint: Field containing the user display name
-    default: displayName
+    default: name
     maxWidth: 500
     order: 10
+  groupsClaim:
+    type: String
+    title: Groups Claim
+    hint: Field containing the group names
+    default: groups
+    maxWidth: 500
+    order: 11
   mergeIdTokenClaims:
     type: Boolean
     title: Merge ID Token Claims
     hint: If enabled, verifies the ID token and merges its claims into the user profile
     default: false
-    order: 11
+    order: 12
   mapGroups:
     type: Boolean
     title: Map Groups
     hint: Map groups matching names from the groups claim value
     default: false
-    order: 12
-  groupsClaim:
-    type: String
-    title: Groups Claim
-    hint: Field containing the group names
-    default: groups
-    maxWidth: 500
     order: 13
+  skipUserProfile:
+    type: Boolean
+    default: false
+    title: Skip User Profile
+    hint: Skips call to the OIDC UserInfo endpoint
+    order: 14
   logoutURL:
     type: String
     title: Logout URL
     hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 14
+    order: 15
+  scope:
+    type: String
+    title: Additional Scopes
+    hint: (optional) Additional space-separated OIDC scopes (e.g. 'offline_access groups') - openid, profile and email are always included
+    maxWidth: 500
+    order: 16
   acrValues:
     type: String
     title: ACR Values
     hint: (optional) Authentication Context Class Reference
-    order: 15
\ No newline at end of file
+    order: 17