diff --git a/website/source/docs/auth/jwt.html.md b/website/source/docs/auth/jwt.html.md
index d6718b800..779db3be7 100644
--- a/website/source/docs/auth/jwt.html.md
+++ b/website/source/docs/auth/jwt.html.md
@@ -192,6 +192,9 @@ http/https, 127.0.0.1/localhost, port numbers, whether trailing slashes are pres
 known to work, you can add additional claims bindings and metadata copying.
 - `bound_audiences` is optional for OIDC roles and typically not required. OIDC providers will use
 the client_id as the audience and OIDC validation expects this.
+- Check your provider for what scopes are required in order to receive all
+of the information you need. The scopes "profile" and "groups" often need to be
+requested, and can be added by setting `oidc_scopes="profile,groups"` on the role.
 - If you're seeing claim-related errors in logs, review the provider's docs very carefully to see
 how they're naming and structuring their claims. Depending on the provider, you may be able to
 construct a simple `curl` implicit grant request to obtain a JWT that you can inspect. An example