It seems that sometimes it is not possible to update the scopes granted to some OAuth application by a user.

If a user has already granted some scopes to an OAuth application and wants to add further scopes by visiting the OAuth endpoint with an update list of scopes to grant, sometimes Quay doesn't show a page asking the user to grant these additional permissions and instead just directly redirecting to the callback URL of the OAuth application without updating the list of granted scopes.

I unfortunately don't have precise reproduction steps, because I have seen this both work and not work for my OAuth applications.

Notably, this seems to be working well on https://docs.quay.io/api/swagger/#!/user/getLoggedInUser when you try to assign the scopes through the UI before trying out some authorized endpoint.