diff --git a/passbook/providers/proxy/migrations/0008_auto_20200930_0810.py b/passbook/providers/proxy/migrations/0008_auto_20200930_0810.py
new file mode 100644
index 000000000..e221c442f
--- /dev/null
+++ b/passbook/providers/proxy/migrations/0008_auto_20200930_0810.py
@@ -0,0 +1,66 @@
+# Generated by Django 3.1.1 on 2020-09-30 08:10
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+SCOPE_PB_PROXY_EXPRESSION = """return {
+    "pb_proxy": {
+        "user_attributes": user.group_attributes()
+    }
+}"""
+
+
+def create_proxy_scope(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from passbook.providers.proxy.models import SCOPE_PB_PROXY, ProxyProvider
+
+    ScopeMapping = apps.get_model("passbook_providers_oauth2", "ScopeMapping")
+
+    ScopeMapping.objects.update_or_create(
+        scope_name=SCOPE_PB_PROXY,
+        defaults={
+            "name": "Autogenerated OAuth2 Mapping: passbook Proxy",
+            "scope_name": SCOPE_PB_PROXY,
+            "description": "",
+            "expression": SCOPE_PB_PROXY_EXPRESSION,
+        },
+    )
+
+    for provider in ProxyProvider.objects.all():
+        provider.set_oauth_defaults()
+        provider.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_providers_proxy", "0007_auto_20200923_1017"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='proxyprovider',
+            name='internal_host_ssl_validation',
+            field=models.BooleanField(
+                default=True, help_text='Validate SSL Certificates of upstream servers', verbose_name='Internal host SSL Validation'),
+        ),
+        migrations.AddField(
+            model_name='proxyprovider',
+            name='basic_auth_enabled',
+            field=models.BooleanField(
+                default=False, help_text='Set a custom HTTP-Basic Authentication header based on values from passbook.', verbose_name='Set HTTP-Basic Authentication'),
+        ),
+        migrations.AddField(
+            model_name='proxyprovider',
+            name='basic_auth_password_attribute',
+            field=models.TextField(
+                blank=True, help_text='User Attribute used for the password part of the HTTP-Basic Header.', verbose_name='HTTP-Basic Password'),
+        ),
+        migrations.AddField(
+            model_name='proxyprovider',
+            name='basic_auth_user_attribute',
+            field=models.TextField(
+                blank=True, help_text="User Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.", verbose_name='HTTP-Basic Username'),
+        ),
+        migrations.RunPython(create_proxy_scope),
+    ]
diff --git a/passbook/providers/proxy/models.py b/passbook/providers/proxy/models.py
index ac01b6572..9d0c23eb8 100644
--- a/passbook/providers/proxy/models.py
+++ b/passbook/providers/proxy/models.py
@@ -24,6 +24,8 @@ from passbook.providers.oauth2.models import (
     ScopeMapping,
 )
 
+SCOPE_PB_PROXY = "pb_proxy"
+
 
 def get_cookie_secret():
     """Generate random 32-character string for cookie-secret"""
@@ -80,7 +82,12 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
         self.jwt_alg = JWTAlgorithms.RS256
         self.rsa_key = CertificateKeyPair.objects.first()
         scopes = ScopeMapping.objects.filter(
-            scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL]
+            scope_name__in=[
+                SCOPE_OPENID,
+                SCOPE_OPENID_PROFILE,
+                SCOPE_OPENID_EMAIL,
+                SCOPE_PB_PROXY,
+            ]
         )
         self.property_mappings.set(scopes)
         self.redirect_uris = "\n".join(