Group Mapping with Authentik not working

Install/Maintain/Configure
1

Hi!

I’ve sucessfully setup Authentik (latest version) and Gitea (latest version, Docker container) to allow new users to sign up to Gitea. This works already flawlessly.

However, mapping Authentik users (or groups) to Gitea administration users or restricted users, does not work at all. Of course I’ve assigned appropriate users in Authentik groups: gitea-admin, gitea-user.

Both groups are available when testing the Authentik Provider. The JWT payload looks like below and as you might notice, the groups claim contains, e.g. gitea-admin.
{
"iss": "https:/xxxx/application/o/gitea/",
"sub": "e0002141415bdd21e84eed840759532387cc90cb3b46d9f003b45627f7ec6a02c4",
"aud": "hK295242kIkerrOD1Swl0WRwQmamJW1n2JEwG7EXiIF",
"exp": 1779721710,
"iat": 1779719910,
"auth_time": 1779719910,
"acr": "``goauthentik.io/providers/oauth2/default``",
"jti": "Akr5klq9jandfcvHF0iJQSvBszAc6agQutUjacxuCcw",
"email": "``michael@xxxx.de``",
"email_verified": false,
"gitea": "true",
"name": "Michael",
"given_name": "Michael",
"preferred_username": "Michael",
"nickname": "Michael",
"groups": [
"gitea-admin",
"authentik Admins"
]
}

My setup in Gitea is:

Option Value
Authentication Name Authentik
OAuth2 Provider OpenID Connect
Client ID hK29NUprrOD1Swl0WamJW1nEwG7EXiIF
Client Secret 6LK1UEc0TNy8rMizTETwAJpmmxtOFlLQ3BUk1tk3HMhRUVCj7GWUUrpfKUfA9Z3UF
Icon URL https://xxxxx/static/dist/assets/icons/icon.png
Open ID Connect Auto URL https://xxxxx/application/o/gitea/.well-known/openid-configuration
Additional Scopes email profile gitea groups
Full Name given_name
Required Claim Name gitea
Required Claim Value true
Claim Name providing group names groups
Group Claim value für administrators gitea-admin
Group Claim value for restricted users gitea-user
Remove users from synchronized… True
Enable User Synchronization True
This Authentication Source is Activated True

As already mentioned, this setup works perfectly, but group mapping fails. Any hint why this currently does not work?