diff --git a/CHANGELOG.md b/CHANGELOG.md
index 20d05e7d..bedad34a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 ## Breaking Changes
 
 ## Changes since v7.5.0
+- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider
 
 # V7.5.0
 
diff --git a/providers/oidc.go b/providers/oidc.go
index aadaf7c5..190275d3 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -20,16 +20,24 @@ type OIDCProvider struct {
 	SkipNonce bool
 }
 
+const oidcDefaultScope = "openid email profile"
+
 // NewOIDCProvider initiates a new OIDCProvider
 func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
-	p.setProviderDefaults(providerDefaults{
+	oidcProviderDefaults := providerDefaults{
 		name:        "OpenID Connect",
 		loginURL:    nil,
 		redeemURL:   nil,
 		profileURL:  nil,
 		validateURL: nil,
-		scope:       "",
-	})
+		scope:       oidcDefaultScope,
+	}
+
+	if len(p.AllowedGroups) > 0 {
+		oidcProviderDefaults.scope += " groups"
+	}
+
+	p.setProviderDefaults(oidcProviderDefaults)
 	p.getAuthorizationHeaderFunc = makeOIDCHeader
 
 	return &OIDCProvider{
diff --git a/providers/providers.go b/providers/providers.go
index 1640c38e..67800dd7 100644
--- a/providers/providers.go
+++ b/providers/providers.go
@@ -156,14 +156,6 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 		p.EmailClaim = providerConfig.OIDCConfig.UserIDClaim
 	}
 
-	if providerConfig.Type == "oidc" && p.Scope == "" {
-		p.Scope = "openid email profile"
-
-		if len(providerConfig.AllowedGroups) > 0 {
-			p.Scope += " groups"
-		}
-	}
-
 	p.setAllowedGroups(providerConfig.AllowedGroups)
 
 	return p, nil