diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
index b322d1f..aa584e2 100644
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -168,6 +168,12 @@ class OidcController < ApplicationController
       end
     end
 
+    # Normalize requested scopes to the set we support. Needed here so claims
+    # validation below can check claim→scope coverage against what will actually
+    # be granted.
+    requested_scopes = scope.split(" ") & SUPPORTED_SCOPES
+    scope = requested_scopes.join(" ")
+
     # Parse claims parameter (JSON string) for OIDC claims request
     # Per OIDC Core §5.5: The claims parameter is a JSON object that requests
     # specific claims to be returned in the id_token and/or userinfo
@@ -291,9 +297,6 @@ class OidcController < ApplicationController
       return
     end
 
-    requested_scopes = scope.split(" ") & SUPPORTED_SCOPES
-    scope = requested_scopes.join(" ")
-
     unless requested_scopes.include?("openid")
       error_uri = "#{redirect_uri}?error=invalid_scope&error_description=#{CGI.escape("The 'openid' scope is required")}"
       error_uri += "&state=#{CGI.escape(state)}" if state.present?