diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml
index 6250a8c..213b756 100644
--- a/infra/base/authentik/bootstrap-prod.yaml
+++ b/infra/base/authentik/bootstrap-prod.yaml
@@ -55,26 +55,60 @@ entries:
     model: authentik_providers_oauth2.scopemapping
     identifiers:
       scope_name: openid
+    attrs:
+      name: "openid"
+      expression: |
+        return {
+            "sub": user.uid,
+            "iss": request.build_absolute_uri("/"),
+        }
 
   - id: scope_profile
     model: authentik_providers_oauth2.scopemapping
     identifiers:
       scope_name: profile
+    attrs:
+      name: "profile"
+      expression: |
+        return {
+            "name": user.name,
+            "given_name": user.name,
+            "preferred_username": user.username,
+            "nickname": user.username,
+            "groups": [group.name for group in request.user.ak_groups.all()]
+        }
 
   - id: scope_email
     model: authentik_providers_oauth2.scopemapping
     identifiers:
       scope_name: email
+    attrs:
+      name: "email"
+      expression: |
+        return {
+            "email": user.email,
+            "email_verified": True
+        }
 
   - id: scope_groups
     model: authentik_providers_oauth2.scopemapping
     identifiers:
       scope_name: groups
+    attrs:
+      name: "groups"
+      expression: |
+        return {
+            "groups": [group.name for group in request.user.ak_groups.all()]
+        }
 
   - id: scope_offline
     model: authentik_providers_oauth2.scopemapping
     identifiers:
       scope_name: offline_access
+    attrs:
+      name: "offline_access"
+      expression: |
+        return {}
 
   # Helper finders
   - id: default_signing_key