diff --git a/routers/web/auth/oauth2_provider.go b/routers/web/auth/oauth2_provider.go
index 608f7523b2..1aebc047bd 100644
--- a/routers/web/auth/oauth2_provider.go
+++ b/routers/web/auth/oauth2_provider.go
@@ -111,6 +111,9 @@ func InfoOAuth(ctx *context.Context) {
 			accessTokenScope, _ = auth_service.GetOAuthAccessTokenScopeAndUserID(ctx, auths[1])
 		}
 	}
+
+	// since version 1.22 does not verify if groups should be public-only,
+	// onlyPublicGroups will be set only if 'public-only' is included in a valid scope
 	onlyPublicGroups, _ := accessTokenScope.PublicOnly()
 	groups, err := oauth2_provider.GetOAuthGroupsForUser(ctx, ctx.Doer, onlyPublicGroups)
 	if err != nil {
diff --git a/services/oauth2_provider/access_token.go b/services/oauth2_provider/access_token.go
index ea633e4350..12802a4f4b 100644
--- a/services/oauth2_provider/access_token.go
+++ b/services/oauth2_provider/access_token.go
@@ -188,6 +188,9 @@ func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, server
 		}
 		if grant.ScopeContains("groups") {
 			accessTokenScope := GrantAdditionalScopes(grant.Scope)
+
+			// since version 1.22 does not verify if groups should be public-only,
+			// onlyPublicGroups will be set only if 'public-only' is included in a valid scope
 			onlyPublicGroups, _ := accessTokenScope.PublicOnly()
 
 			groups, err := GetOAuthGroupsForUser(ctx, user, onlyPublicGroups)