Crossplane keycloak provider is continuously reconciling ClientDefaultScopes in a loop

Looking at crossplane keycloak provider logs, the ClientDefaultScopes is reconciled in a loop, trying to add openid to the defaultScopes list, but keycloak seems to not accept it

2026-01-26T09:47:38Z    DEBUG   provider-keycloak       Diff detected   {"uid": "ebc882d3-4242-42a2-878a-71c31f6dc651", "name": "policy-reporter-default-scopes", "namespace": "keycloak", "gvk": "openidclient.keycloak.m.crossplane.io/v1alpha1, Kind=ClientDefaultScopes", "instanceDiff": "*terraform.InstanceDiff{mu:sync.Mutex{_:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}, Attributes:map[string]*terraform.ResourceAttrDiff{\"default_scopes.#\":*terraform.ResourceAttrDiff{Old:\"3\", New:\"4\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"default_scopes.2170006031\":*terraform.ResourceAttrDiff{Old:\"profile\", New:\"profile\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"default_scopes.31680599\":*terraform.ResourceAttrDiff{Old:\"\", New:\"openid\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"default_scopes.3885137012\":*terraform.ResourceAttrDiff{Old:\"email\", New:\"email\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, \"default_scopes.4033689968\":*terraform.ResourceAttrDiff{Old:\"groups\", New:\"groups\", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, RawConfig:cty.NilVal, RawState:cty.NilVal, RawPlan:cty.NilVal, Meta:map[string]interface {}(nil), Identity:map[string]string(nil)}"}

    spec:
      forProvider:
        clientId: 35b3a339-bd53-4abe-9dfb-1f01ae544dd8
        clientIdRef:
          name: policy-reporter
        defaultScopes:
          - profile
          - openid
          - email
          - groups
        realmId: sylva
      initProvider: {}
      managementPolicies:
        - '*'
      providerConfigRef:
        kind: ProviderConfig
        name: keycloak-provider-config
    status:
      atProvider:
        clientId: 35b3a339-bd53-4abe-9dfb-1f01ae544dd8
        defaultScopes:
          - email
          - groups
          - profile
        id: sylva/35b3a339-bd53-4abe-9dfb-1f01ae544dd8
        realmId: sylva

It seems openid is by default added by keycloak meening that we should not provide it in the defaultScopes list