Oauth claims not evaluated correctly

I’ve configured Gitea 1.22.3 with authentication against Nextcloud OAuth2. Using “OpenID Connect” provider and the autodiscovery URL works (I’m using the extended OIDC Identity Provider app), Nextcloud provider with Auth/Token/Profile URL as well.

So Nextcloud SSO mostly works, except for administrator privileges:

“Additional Scopes” is set to “email profile groups”, and “Claim name providing group names” to “groups”. As soon as I configure “Group Claim value for administrator users”, a users administrator flag will be cleared on his next login.

I cranked up logging to Trace, but didn’t get much more information beyond “Session Authorization: Found user xxx”, “Session Authorization: Logged in user xxx”.

What am I missing?

New information: the connector has even more problems. When I first logged on using SSO, I was asked to password-confirm the assignment to my existing user. Now, a collegue tried the same: he wasn’t as for user-assignment, but was logged in with my account.