Correct syntax of HBOX_OIDC_SCOPE?

[jeffscrum]

My OIDC provider requires specifying groups (kanidm). How do I correctly specify the HBOX_OIDC_SCOPE variable in docker-compose?
I tried specifying it with commas, spaces, quotation marks, and various other options. None of the options work. For now, I have disabled group verification and can use oidc.

Even default scopes in compose I have an error (domain has been hidden):

    environment:
.....
    - HBOX_OIDC_SCOPE="openid profile email"

34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     request [ 936µs | 16.70% / 100.00% ] method: GET | uri: /ui/oauth2?client_id=homebox&code_challenge=SHWq_XlF_vTcMJczrQ-5uP91X4_r8GaI&code_challenge_method=S256&nonce=JTyg5NStMqwCRz82F_ur1TM346de4lNfH4&redirect_uri=https%3A%2F%2Fbox.example.com%2Fapi%2Fv1%2Fusers%2Flogin%2Foidc%2Fcallback&response_type=code&scope=%22openid+profile+email%22&state=eAiTJS5T2BX9Bfi10fnFpzH_9lCLwfssYs | version: HTTP/1.1
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     ┝━ ｉ [info]:  | connection_addr: [::ffff:192.168.88.11]:60688 | client_ip_addr: ::ffff:192.168.88.11
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     ┝━ pre_validate_client_auth_info [ 398µs | 0.72% / 42.56% ]
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     │  ┕━ validate_client_auth_info_to_uat [ 392µs | 41.84% ]
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     ┝━ handle_oauth2_authorise [ 381µs | 4.03% / 40.74% ]
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     │  ┝━ validate_client_auth_info_to_ident [ 344µs | 36.71% ]
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     │  │  ┕━ ｉ [info]: A valid limited session value exists for this token | event_tag_id: 10
34d8bd28-f30d-4503-bbeb-11e8335e0896 INFO     │  ┝━ ｉ [info]: Insecure OAuth2 client configuration - PKCE is not enforced, but client is requesting it! | event_tag_id: 10 | o2rs.name: "homebox"
34d8bd28-f30d-4503-bbeb-11e8335e0896 ERROR    │  ┕━ 🚨 [error]: Invalid OAuth2 request - requested scopes ("openid,email",profile) but ("openid,email") failed to pass validation rules - all must match the regex ^[0-9a-zA-Z_]+$ | event_tag_id: 1
34d8bd28-f30d-4503-bbeb-11e8335e0896 ERROR    ┕━ 🚨 [error]: Unable to authorise - Error ID: 34d8bd28-f30d-4503-bbeb-11e8335e0896 error: invalid_scope

For some reason, openid and email are enclosed in quotation marks.

Homebox version: v0.22.3

[jeffscrum]

I found the answer in one of the closed issues.
The string does not need quotation marks and must contain spaces.

environment:
    - HBOX_OIDC_ALLOWED_GROUPS=homebox_users@idm.kanidm.com
    - HBOX_OIDC_SCOPE=openid profile email groups

And the user for kanidm must contain the domain (see the output of “kanidm person list”)
memberof: homebox_users@idm.kanidm.com.