diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index d98b7b38f64035e04ea286829ffb3b5c8403ac2f..f56bf1de8f822bd7c6675dbe914eb5536845207c 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,9 @@ Fixed
 ~~~~~
 
 * [Docker] Stop initialisation if migrations fail
+* [OAuth] Register `groups` scope and fix claim
+* [OAuth] Fix OAuth claims for follow-up requests (e.g. UserInfo)
+* [OAuth] Fix grant types checking failing on wrong types under some circumstances
 
 `2.2`_ - 2021-11-29
 -------------------
diff --git a/aleksis/core/apps.py b/aleksis/core/apps.py
index f1eb2ce95c8900f2ed22996316d0b5da71b5f0f6..2af102477a08571dfe5f3968eefcc8b3e805e0ff 100644
--- a/aleksis/core/apps.py
+++ b/aleksis/core/apps.py
@@ -153,5 +153,6 @@ class CoreConfig(AppConfig):
                 "address": _("Full home postal address"),
                 "email": _("Email address"),
                 "phone": _("Home and mobile phone"),
+                "groups": _("Groups"),
             }
         return scopes
diff --git a/aleksis/core/models.py b/aleksis/core/models.py
index ba1f506cb210ff282f8a198fe1f51a74525edc5f..3ce728b7c67d853fd4f7156beb4afa1ad207b50c 100644
--- a/aleksis/core/models.py
+++ b/aleksis/core/models.py
@@ -1132,7 +1132,7 @@ class OAuthApplication(AbstractApplication):
     def allows_grant_type(self, *grant_types: set[str]) -> bool:
         allowed_grants = get_site_preferences()["auth__oauth_allowed_grants"]
 
-        return bool(set(allowed_grants) & grant_types)
+        return bool(set(allowed_grants) & set(grant_types))
 
 
 class OAuthGrant(AbstractGrant):
diff --git a/aleksis/core/util/auth_helpers.py b/aleksis/core/util/auth_helpers.py
index 21acddda5acef95d6fa7c9636e999717d899ca0b..e0cfcc778a55563e91ecf4d0d1027227e01a99b3 100644
--- a/aleksis/core/util/auth_helpers.py
+++ b/aleksis/core/util/auth_helpers.py
@@ -47,11 +47,15 @@ class CustomOAuth2Validator(OAuth2Validator):
         django_request = HttpRequest()
         django_request.META = request.headers
 
+        scopes = request.scopes.copy()
+        if request.access_token:
+            scopes += request.access_token.scope.split(" ")
+
         claims = {
             "preferred_username": request.user.username,
         }
 
-        if "profile" in request.scopes:
+        if "profile" in scopes:
             if has_person(request.user):
                 claims["given_name"] = request.user.person.first_name
                 claims["family_name"] = request.user.person.last_name
@@ -66,13 +70,13 @@ class CustomOAuth2Validator(OAuth2Validator):
                 claims["given_name"] = request.user.first_name
                 claims["family_name"] = request.user.last_name
 
-        if "email" in request.scopes:
+        if "email" in scopes:
             if has_person(request.user):
                 claims["email"] = request.user.person.email
             else:
                 claims["email"] = request.user.email
 
-        if "address" in request.scopes and has_person(request.user):
+        if "address" in scopes and has_person(request.user):
             claims["address"] = {
                 "street_address": request.user.person.street
                 + " "
@@ -81,8 +85,10 @@ class CustomOAuth2Validator(OAuth2Validator):
                 "postal_code": request.user.person.postal_code,
             }
 
-        if "groups" in request.scopes and has_person(request.user):
-            claims["groups"] = request.user.person.groups.values_list("name", flat=True).all()
+        if "groups" in scopes and has_person(request.user):
+            claims["groups"] = list(
+                request.user.person.member_of.values_list("name", flat=True).all()
+            )
 
         return claims