If I understand correctly, we should replace the fedora scope with both groups and cla in the config file. Is it correct? Is there anything else we need to do?

Correct. As far as I know that should be it.

When I try that, the openid provider returns an error on the callback endoint: error_description=unknown+scope+groups+requested&error=invalid_scope

For development we are using https://iddev.fedorainfracloud.org/ as the provider.

This is the one that's literally in the documentation as an example:

Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups

Indeed, it works much better with the prefix :-)
We're also requesting the "openid" scope, is it OK? I don't see it in the wiki page.

Ah, thanks for pointing out I was missing that in the documentation.
That is a required scope yes :).

Given that your pull request is merged, I'm going to remove the scope from all our instances in the coming week.

Is this one right to close now @abompard @puiterwijk ?

I think so.