You can request all the scopes you desire, regardless of whether the user has access to them. Okta will only return the authorized scopes, even if you asked for others.

I believe the Okta provider has some defaults. If you want to totally remove them, you can also create a custom provider based on the current Okta provider and remove the scope parameter completely. NextAuth doesn’t have an internal default for all providers.