diff --git a/go.mod b/go.mod
index 7dd3707a8c..93760e384c 100644
--- a/go.mod
+++ b/go.mod
@@ -335,7 +335,7 @@ require (
 replace (
 	github.com/argoproj/argo-workflows/v3 v3.5.13 => github.com/devtron-labs/argo-workflows/v3 v3.5.13
 	github.com/cyphar/filepath-securejoin v0.4.1 => github.com/cyphar/filepath-securejoin v0.3.6 // indirect
-	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250901093002-1be330be4db3
+	github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903070246-880420ac3b70
 	github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250901093002-1be330be4db3
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 )
diff --git a/go.sum b/go.sum
index b30af420d6..1258372ca8 100644
--- a/go.sum
+++ b/go.sum
@@ -237,8 +237,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc h1:VRRKCwnzq
 github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13 h1:3pINq0gXOSeTw2z/vYe+j80lRpSN5Rp/8mfQORh8SmU=
 github.com/devtron-labs/argo-workflows/v3 v3.5.13/go.mod h1:/vqxcovDPT4zqr4DjR5v7CF8ggpY1l3TSa2CIG3jmjA=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250901093002-1be330be4db3 h1:7WTBEjb3nhvfAbbYyKYb8oTRRyLQ89mkVCIhKzN7Iu0=
-github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250901093002-1be330be4db3/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903070246-880420ac3b70 h1:0gn36soBjOVtS4Ea5qcyHTAXpPIBFikc1ymR0oDm3xw=
+github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903070246-880420ac3b70/go.mod h1:9LCkYfiWaEKIBkmxw9jX1GujvEMyHwmDtVsatffAkeU=
 github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250901093002-1be330be4db3 h1:jCxpB8+6KD29jenB4SLTimCYzsmazBAPKv6637xRT5M=
 github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250901093002-1be330be4db3/go.mod h1:/Ciy9tD9OxZOWBDPIasM448H7uvSo4+ZJiExpfwBZpA=
 github.com/devtron-labs/go-bitbucket v0.9.60-beta h1:VEx1jvDgdtDPS6A1uUFoaEi0l1/oLhbr+90xOwr6sDU=
diff --git a/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go b/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
index 551dec305e..9c37b5026d 100644
--- a/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
+++ b/vendor/github.com/devtron-labs/authenticator/client/oidcClient.go
@@ -41,19 +41,42 @@ func GetSettings(conf *DexConfig) (*oidc.Settings, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	settings := &oidc.Settings{
 		URL: conf.Url,
 		OIDCConfig: oidc.OIDCConfig{CLIClientID: conf.DexClientID,
 			ClientSecret:    conf.DexClientSecret,
 			Issuer:          proxyUrl,
 			ServerSecret:    conf.ServerSecret,
-			RequestedScopes: conf.DexScopes,
+			RequestedScopes: conf.GetDexScopes(),
 		},
 		UserSessionDuration: time.Duration(conf.UserSessionDurationSeconds) * time.Second,
 		AdminPasswordMtime:  conf.AdminPasswordMtime,
 	}
 	return settings, nil
 }
+func (conf *DexConfig) GetDexScopes() []string {
+	// passing empty array to get default scopes
+	defaultScopes := oidc.GetScopesOrDefault([]string{})
+	additionalScopes := conf.DexScopes
+
+	occurrenceMap := make(map[string]bool)
+	finalScopes := make([]string, 0, len(defaultScopes)+len(additionalScopes))
+
+	// first add all the default
+	for _, scope := range defaultScopes {
+		occurrenceMap[scope] = true
+		finalScopes = append(finalScopes, scope)
+	}
+	// append extra configs
+	for _, scope := range additionalScopes {
+		if _, exists := occurrenceMap[scope]; !exists {
+			occurrenceMap[scope] = true
+			finalScopes = append(finalScopes, scope)
+		}
+	}
+	return finalScopes
+}
 func getOidcClient(dexServerAddress string, settings *oidc.Settings, userVerifier oidc.UserVerifier, RedirectUrlSanitiser oidc.RedirectUrlSanitiser) (*oidc.ClientApp, func(writer http.ResponseWriter, request *http.Request), error) {
 	dexClient := &http.Client{
 		Transport: &http.Transport{
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 34688eb133..aec7f390d3 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -523,7 +523,7 @@ github.com/davecgh/go-spew/spew
 # github.com/deckarep/golang-set v1.8.0
 ## explicit; go 1.17
 github.com/deckarep/golang-set
-# github.com/devtron-labs/authenticator v0.4.35-0.20240809073103-6e11da8083f8 => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250901093002-1be330be4db3
+# github.com/devtron-labs/authenticator v0.4.35-0.20240809073103-6e11da8083f8 => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903070246-880420ac3b70
 ## explicit; go 1.24.0
 github.com/devtron-labs/authenticator/apiToken
 github.com/devtron-labs/authenticator/client
@@ -2654,5 +2654,5 @@ xorm.io/xorm/log
 xorm.io/xorm/names
 xorm.io/xorm/schemas
 xorm.io/xorm/tags
-# github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250901093002-1be330be4db3
+# github.com/devtron-labs/authenticator => github.com/devtron-labs/devtron-services/authenticator v0.0.0-20250903070246-880420ac3b70
 # github.com/devtron-labs/common-lib => github.com/devtron-labs/devtron-services/common-lib v0.0.0-20250901093002-1be330be4db3