diff --git a/ops/keycloak/forgejo.tf b/ops/keycloak/forgejo.tf
index 247aa4595..08c69999e 100644
--- a/ops/keycloak/forgejo.tf
+++ b/ops/keycloak/forgejo.tf
@@ -8,8 +8,9 @@ resource "keycloak_openid_client" "forgejo" {
   base_url                                 = "https://git.snix.dev"
 
   description                              = "snix project's code browsing, search and issue tracker"
-  direct_access_grants_enabled             = true
-  exclude_session_state_from_auth_response = false
+
+  // disable full scope, roles are assigned via keycloak_generic_client_role_mapper
+  full_scope_allowed    = false
 
   valid_redirect_uris = [
     "https://git.snix.dev/*",
@@ -20,8 +21,41 @@ resource "keycloak_openid_client" "forgejo" {
   ]
 }
 
-# resource "keycloak_role" "forgejo_admin" {
-# }
-#
-# resource "keycloak_role" "forgejo_trusted_contributor" {
-# }
+resource "keycloak_role" "forgejo_admin" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.forgejo.id
+  name        = "Admin"
+  description = "Forgejo site admin and Snix Org Owner"
+}
+
+resource "keycloak_role" "forgejo_snix_contributors" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.forgejo.id
+  name        = "Contributors"
+  description = "Snix contributors"
+}
+
+
+# Add the "Contributors" role to all users
+resource "keycloak_openid_hardcoded_role_protocol_mapper" "forgejo_hardcoded_role_mapper" {
+  realm_id = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.forgejo.id
+  name = "add forgejo contributors"
+  role_id = keycloak_role.forgejo_snix_contributors.id
+}
+
+# Expose the above two roles at `forgejo_roles`
+resource "keycloak_openid_user_client_role_protocol_mapper" "forgejo_role_mapper" {
+  realm_id = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.forgejo.id
+  name = "forgejo_roles mapper"
+
+  claim_name = "forgejo_roles"
+  claim_value_type = "String"
+  add_to_id_token = true
+  add_to_access_token = true
+  multivalued = true
+
+  # https://github.com/keycloak/terraform-provider-keycloak/issues/1016
+  client_id_for_role_mappings = keycloak_openid_client.forgejo.client_id
+}
diff --git a/ops/keycloak/permissions.tf b/ops/keycloak/permissions.tf
index f32bb60a5..d5c833e62 100644
--- a/ops/keycloak/permissions.tf
+++ b/ops/keycloak/permissions.tf
@@ -28,7 +28,7 @@ resource "keycloak_group_roles" "snix_core_team_roles" {
     # keycloak_role.is_local_admin,
     # keycloak_role.can_manage_snix,
     keycloak_role.grafana_admin.id,
-    # keycloak_role.forgejo_admin.id,
+    keycloak_role.forgejo_admin.id,
     # keycloak_role.gerrit_admin.id
   ]
 }
diff --git a/ops/modules/forgejo.nix b/ops/modules/forgejo.nix
index 3bc0aaedd..06ac89a8f 100644
--- a/ops/modules/forgejo.nix
+++ b/ops/modules/forgejo.nix
@@ -141,7 +141,6 @@ in
           REGISTER_EMAIL_CONFIRM = false;
           ACCOUNT_LINKING = "login";
           USERNAME = "nickname";
-          OPENID_CONNECT_SCOPES = "email profile";
         };
 
         repository = {
@@ -260,7 +259,6 @@ in
         CLIENT_ID="forgejo"
         CLIENT_SECRET=$(cat ${config.age.secrets.forgejo-oauth-secret.path})
         DISCOVERY_URL="https://auth.snix.dev/realms/snix-project/.well-known/openid-configuration"
-        SCOPES=("openid" "profile" "email")
 
         # Check if the OAuth2 source already exists
         if gitea admin auth list | grep -q "$NAME"; then
@@ -275,8 +273,10 @@ in
           --key "$CLIENT_ID" \
           --secret "$CLIENT_SECRET" \
           --auto-discover-url "$DISCOVERY_URL" \
-          $(printf -- '--scopes "%s" ' "''${SCOPES[@]}") \
-          --icon-url "$ICON_URL"
+          --group-claim-name forgejo_roles \
+          --admin-group Admin \
+          --group-team-map '{"Admin":{"snix":["Owners"]},"Contributors":{"snix": ["Contributors"]}}' \
+          --group-team-map-removal true
 
         echo "OAuth2 source '$NAME' added successfully."
       '';