diff --git a/go.mod b/go.mod
index 16ae70f449..80538116a9 100644
--- a/go.mod
+++ b/go.mod
@@ -338,7 +338,7 @@ require (
 replace (
 	github.com/argoproj/argo-workflows/v3 v3.5.13 => github.com/devtron-labs/argo-workflows/v3 v3.5.13
 	github.com/cyphar/filepath-securejoin v0.4.1 => github.com/cyphar/filepath-securejoin v0.3.6 // indirect
-	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250902070957-ff08ef4190df
+	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903065916-8e6032eb99c7
 	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250902070957-ff08ef4190df
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 )
diff --git a/go.sum b/go.sum
index 6d9933c0ee..2a16cc75a4 100644
--- a/go.sum
+++ b/go.sum
@@ -237,8 +237,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc h1:VRRKCwnzq
 github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13 h1:3pINq0gXOSeTw2z/vYe+j80lRpSN5Rp/8mfQORh8SmU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13/go.mod h1:/vqxcovDPT4zqr4DjR5v7CF8ggpY1l3TSa2CIG3jmjA=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250902070957-ff08ef4190df h1:cI8b8B/RKmAyuYgsN483H9hldoK/yOGMv2nNEPVFH+w=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250902070957-ff08ef4190df/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903065916-8e6032eb99c7 h1:X90yJX2OtyyWkXtRSV2yGK1juyTD475DbCUhIaG6VOw=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903065916-8e6032eb99c7/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
 github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250902070957-ff08ef4190df h1:vYRAvhDypMUbUecNXTdJHp+dxgFsaCVMaYfVRmIM8LU=
 github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250902070957-ff08ef4190df/go.mod h1:BPvuxIUW9TNYZ3+9r39nMzeORMcLqTwNkakirqp9AzU=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta h1:VEx1jvDgdtDPS6A1uUFoaEi0l1/oLhbr+90xOwr6sDU=
diff --git a/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go b/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
index 551dec305e..935311e363 100644
--- a/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
+++ b/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
@@ -47,13 +47,35 @@ func GetSettings(conf *DexConfig) (*oidc.Settings, error) {
 			ClientSecret:    conf.DexClientSecret,
 			Issuer:          proxyUrl,
 			ServerSecret:    conf.ServerSecret,
-			RequestedScopes: conf.DexScopes,
+			RequestedScopes: conf.GetDexScopes(),
 		},
 		UserSessionDuration: time.Duration(conf.UserSessionDurationSeconds) * time.Second,
 		AdminPasswordMtime:  conf.AdminPasswordMtime,
 	}
 	return settings, nil
 }
+func (conf *DexConfig) GetDexScopes() []string {
+	// passing empty array to get default scopes
+	defaultScopes := oidc.GetScopesOrDefault([]string{})
+	additionalScopes := conf.DexScopes
+
+	occurrenceMap := make(map[string]bool)
+	finalScopes := make([]string, 0, len(defaultScopes)+len(additionalScopes))
+
+	// first add all the default
+	for _, scope := range defaultScopes {
+		occurrenceMap[scope] = true
+		finalScopes = append(finalScopes, scope)
+	}
+	// append extra configs
+	for _, scope := range additionalScopes {
+		if _, exists := occurrenceMap[scope]; !exists {
+			occurrenceMap[scope] = true
+			finalScopes = append(finalScopes, scope)
+		}
+	}
+	return finalScopes
+}
 func getOidcClient(dexServerAddress string, settings *oidc.Settings, userVerifier oidc.UserVerifier, RedirectUrlSanitiser oidc.RedirectUrlSanitiser) (*oidc.ClientApp, func(writer http.ResponseWriter, request *http.Request), error) {
 	dexClient := &http.Client{
 		Transport: &http.Transport{
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 407762cd6d..36d1dd2298 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -523,7 +523,7 @@ github.com/davecgh/go-spew/spew
 # github.com/deckarep/golang-set v1.8.0
 ## explicit; go 1.17
 github.com/deckarep/golang-set
-# github.com/devtron-labs/authenticator v0.4.35-0.20240809073103-6e11da8083f8 => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250902070957-ff08ef4190df
+# github.com/devtron-labs/authenticator v0.4.35-0.20240809073103-6e11da8083f8 => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903065916-8e6032eb99c7
 ## explicit; go 1.24.0
 github.com/devtron-labs/authenticator/apiToken
 github.com/devtron-labs/authenticator/client
@@ -2671,5 +2671,5 @@ xorm.io/xorm/log
 xorm.io/xorm/names
 xorm.io/xorm/schemas
 xorm.io/xorm/tags
-# github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250902070957-ff08ef4190df
+# github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903065916-8e6032eb99c7
 # github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250902070957-ff08ef4190df