kontext-security · michiosw · May 30, 2026
diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
@@ -203,24 +203,22 @@ func resolveLoginScopes(scopes []string) []string {
 		baseScopes = identityLoginScopes
 	}
 
-	resolved := append([]string(nil), baseScopes...)
+	resolved := make([]string, 0, len(baseScopes)+len(scopes))
+	seen := make(map[string]struct{}, len(baseScopes)+len(scopes))
+	for _, scope := range baseScopes {
+		resolved = append(resolved, scope)
+		seen[scope] = struct{}{}
+	}
 	for _, scope := range scopes {
-		if !hasScope(resolved, scope) {
-			resolved = append(resolved, scope)
+		if _, ok := seen[scope]; ok {
+			continue
 		}
+		resolved = append(resolved, scope)
+		seen[scope] = struct{}{}
 	}
 	return resolved
 }
 
-func hasScope(scopes []string, scope string) bool {
-	for _, existing := range scopes {
-		if existing == scope {
-			return true
-		}
-	}
-	return false
-}
-
 func applyTokenExtraEmailFallback(session *Session, token *oauth2.Token) {
 	if session.User.Email != "" {
 		return

diff --git a/internal/auth/oidc_test.go b/internal/auth/oidc_test.go
@@ -67,6 +67,23 @@ func TestResolveLoginScopesDeduplicatesDefaultScopes(t *testing.T) {
 	}
 }
 
+func TestResolveLoginScopesDeduplicatesRepeatedCustomScopes(t *testing.T) {
+	t.Parallel()
+
+	input := []string{"gateway:access", "openid", "gateway:access", "profile", "audit:read"}
+	got := resolveLoginScopes(input)
+	want := []string{
+		"openid",
+		"email",
+		"profile",
+		"gateway:access",
+		"audit:read",
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("resolveLoginScopes(%#v) = %#v, want %#v", input, got, want)
+	}
+}
+
 func TestDecodeJWTClaims(t *testing.T) {
 	t.Parallel()