diff --git a/.changeset/plenty-llamas-double.md b/.changeset/plenty-llamas-double.md
new file mode 100644
index 0000000000..b2691a2f17
--- /dev/null
+++ b/.changeset/plenty-llamas-double.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-node': patch
+---
+
+Fix for persisted scopes not being properly restored on sign-in.
diff --git a/plugins/auth-node/src/oauth/createOAuthRouteHandlers.test.ts b/plugins/auth-node/src/oauth/createOAuthRouteHandlers.test.ts
index 2573d95ea1..7da5519655 100644
--- a/plugins/auth-node/src/oauth/createOAuthRouteHandlers.test.ts
+++ b/plugins/auth-node/src/oauth/createOAuthRouteHandlers.test.ts
@@ -297,7 +297,7 @@ describe('createOAuthRouteHandlers', () => {
         state: encodeOAuthState({
           env: 'development',
           nonce: '123',
-          scope: 'my-scope',
+          scope: 'my-scope my-other-scope',
         } as OAuthState),
       });
 
@@ -310,7 +310,7 @@ describe('createOAuthRouteHandlers', () => {
             accessToken: 'access-token',
             expiresInSeconds: 3,
             idToken: 'id-token',
-            scope: 'my-scope',
+            scope: 'my-scope my-other-scope',
           },
           backstageIdentity: {
             identity: {
@@ -324,7 +324,9 @@ describe('createOAuthRouteHandlers', () => {
       });
 
       expect(getRefreshTokenCookie(agent).value).toBe('refresh-token');
-      expect(getGrantedScopesCookie(agent).value).toBe('my-scope');
+      expect(getGrantedScopesCookie(agent).value).toBe(
+        'my-scope%20my-other-scope',
+      );
     });
 
     it('should redirect with persisted scope', async () => {
@@ -357,7 +359,7 @@ describe('createOAuthRouteHandlers', () => {
         state: encodeOAuthState({
           env: 'development',
           nonce: '123',
-          scope: 'my-scope',
+          scope: 'my-scope my-other-scope',
           flow: 'redirect',
           redirectUrl: 'https://127.0.0.1:3000/redirect',
         } as OAuthState),
@@ -367,7 +369,9 @@ describe('createOAuthRouteHandlers', () => {
       expect(res.get('Location')).toBe('https://127.0.0.1:3000/redirect');
 
       expect(getRefreshTokenCookie(agent).value).toBe('refresh-token');
-      expect(getGrantedScopesCookie(agent).value).toBe('my-scope');
+      expect(getGrantedScopesCookie(agent).value).toBe(
+        'my-scope%20my-other-scope',
+      );
     });
 
     it('should require a valid origin', async () => {
diff --git a/plugins/auth-node/src/oauth/createOAuthRouteHandlers.ts b/plugins/auth-node/src/oauth/createOAuthRouteHandlers.ts
index 011b3fc0f0..a455837035 100644
--- a/plugins/auth-node/src/oauth/createOAuthRouteHandlers.ts
+++ b/plugins/auth-node/src/oauth/createOAuthRouteHandlers.ts
@@ -214,7 +214,7 @@ export function createOAuthRouteHandlers<TProfile>(
         // the provider does not return granted scopes on refresh or if they are normalized.
         if (authenticator.shouldPersistScopes && state.scope) {
           cookieManager.setGrantedScopes(res, state.scope, appOrigin);
-          result.session.scope = state.scope;
+          response.providerInfo.scope = state.scope;
         }
 
         if (result.session.refreshToken) {