"[oauth2_client] OPENID_CONNECT_SCOPES" can make "Additional Scopes" of "Authentication Source" useless

[CrimsonEdgeHope]

Description

Our Gitea instance connects to an external identity provider for unified identity management. I was adding a custom scope and a claim field to OIDC to let accounts in a certain OIDC group have Gitea instance administrator privilege. In "Edit Authentication Source" page I filled:

• "Additional Scopes"
• "Required Claim Name"
• "Required Claim Value"
• "Claim name providing group names for this source"
• "Group Claim value for administrator users"
• "Group Claim value for restricted users"

However, I noticed that OAuth url generated by Gitea wasn't including the custom scope, without which led to login prohibited by Gitea, as a result of absence of the custom claim field, which in turn was a result of absence of the custom scope, no matter how I modified "Additional Scopes". Troubleshot for hours long, I finally found that "OPENID_CONNECT_SCOPES" (https://github.com/go-gitea/gitea/blob/main/services/auth/source/oauth2/providers_openid.go#L37) will override "Additional Scopes" (https://github.com/go-gitea/gitea/blob/main/routers/web/admin/auths.go#L184) set in "Edit Authentication Source", making it literally useless before I removed the config item.

No error log.

Similar issue I looked at: #31612

Gitea Version

6ca91f5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker compose

Database

PostgreSQL