I found that it is possible to propagate groups from Authenticator
Yes, but it’s up to the authenticator to support this. One option is to extend GenericOAuthenticator to return the group(s).
Alternatively you could try setting the default user scopes: