diff --git a/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
index 1a552245..9a1c7ccb 100644
--- a/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
@@ -5,7 +5,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: metis-oidc-secret-ensure-2
+  name: metis-oidc-secret-ensure-3
   namespace: sso
 spec:
   backoffLimit: 0
@@ -79,7 +79,7 @@ spec:
                   -H 'Content-Type: application/json' \
                   -d "${create_payload}" \
                   "$KC_URL/admin/realms/atlas/clients")"
-                if [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
                   echo "Keycloak client create failed (status ${status})" >&2
                   exit 1
                 fi
@@ -93,6 +93,34 @@ spec:
                 exit 1
               fi
 
+              SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
+              if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
+                echo "Keycloak client scope groups not found" >&2
+                exit 1
+              fi
+
+              DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
+              OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
+
+              if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
+                && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
+                status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
+                  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+                if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
+                    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+                  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                    echo "Failed to attach groups client scope to metis (status ${status})" >&2
+                    exit 1
+                  fi
+                fi
+              fi
+
               update_payload='{"enabled":true,"clientId":"metis","protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://sentinel.bstein.dev/oauth2/callback"],"webOrigins":["https://sentinel.bstein.dev"],"rootUrl":"https://sentinel.bstein.dev","baseUrl":"/"}'
               status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
                 -H "Authorization: Bearer ${ACCESS_TOKEN}" \