Passing custom scopes with OpenID connect

Im working on implementing OpenID Connect and have authentication working with our identity provider, OneLogin, no problem. I am however running into some issues getting the appropriate claimsprincipal to use for authorization. OneLogin is sending back what appears to be the “openID” scope in the claims object, but what we really need is a “groups” scope ( We are hoping that the groups scope will contain the Active Directory information (namely the “MemberOf” attribute).

We have tried adding a scope to the Authentication Method, but it does not seem to be respected.

$d = @{
    ResponseType = 'id_token'
    ClientSecret = Get-ClientSecret()
    ClientId = Get-ClientID()
    Authority = ''
    Resource = ''
    Scope = "groups"
    PassThru = $true
    SaveTokens = $true

Our assumption is that Universal Dashboard uses the default scope of “openID” and that it can not be changed. Just wanted to reach out to the community and see if our assumption is accurate. Our alternative in this scenario will be to run a custom query against OneLogin after authentication, to retrieve the group membership, but before we go down that route I wanted to see if this is our best option.

Digging into UniversalDashboard.Services.AuthenticationConfigurator it appears that when the dashboard sees the auth type is OIDC it hydrates an object of type Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions and no values are added to the SCOPE property of that object.