diff --git a/.env.example b/.env.example
index 6973b4c3..806c6c49 100644
--- a/.env.example
+++ b/.env.example
@@ -66,7 +66,9 @@ LOG_HTTP=false
 # OIDC_CLIENT_ID=
 # OIDC_CLIENT_SECRET=
 # OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback
-# OIDC_SCOPES=openid email profile groups
+# Authentik : 'groups' n'est pas un scope standard — les groups arrivent
+# dans le claim 'groups' du scope 'profile' par defaut.
+# OIDC_SCOPES=openid email profile
 # OIDC_PROVIDER_NAME=Authentik
 #
 # Just-in-time provisioning for unknown emails. Strict by default — set
diff --git a/ACADENICE_PATCHES.md b/ACADENICE_PATCHES.md
index 54378d06..802c2383 100644
--- a/ACADENICE_PATCHES.md
+++ b/ACADENICE_PATCHES.md
@@ -109,7 +109,7 @@ Branche fork : `acadenice/main`
 | `OIDC_CLIENT_ID` | (vide) | requis |
 | `OIDC_CLIENT_SECRET` | (vide) | requis |
 | `OIDC_REDIRECT_URI` | `${APP_URL}/api/auth/oidc/callback` | derive auto si non set |
-| `OIDC_SCOPES` | `openid email profile groups` | |
+| `OIDC_SCOPES` | `openid email profile` | Authentik : `groups` claim arrive via le scope `profile` (pas un scope standard) |
 | `OIDC_PROVIDER_NAME` | `SSO` | label affiche sur le bouton |
 | `OIDC_AUTO_PROVISION` | `false` | si true : cree le user a la volee si email inconnu |
 | `OIDC_DEFAULT_WORKSPACE_ID` | (vide) | requis si multi-workspace + auto-provision |
diff --git a/apps/server/src/integrations/environment/environment.service.ts b/apps/server/src/integrations/environment/environment.service.ts
index 4bf6ef01..910222d2 100644
--- a/apps/server/src/integrations/environment/environment.service.ts
+++ b/apps/server/src/integrations/environment/environment.service.ts
@@ -356,10 +356,9 @@ export class EnvironmentService {
   }
 
   getOidcScopes(): string {
-    return this.configService.get<string>(
-      'OIDC_SCOPES',
-      'openid email profile groups',
-    );
+    // Authentik n'expose pas un scope `groups` standard — les groups arrivent
+    // dans le claim `groups` du scope `profile` par defaut.
+    return this.configService.get<string>('OIDC_SCOPES', 'openid email profile');
   }
 
   getOidcProviderName(): string {