diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go
index 1d7e4688..15743108 100644
--- a/oidc_cli/oidc_impl/client/client.go
+++ b/oidc_cli/oidc_impl/client/client.go
@@ -36,7 +36,7 @@ type Config struct {
 }
 
 // NewClient returns a new client
-func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*Client, error) {
+func NewClient(ctx context.Context, config *Config, scopes []string, clientOptions ...Option) (*Client, error) {
 	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
 	if err != nil {
 		return nil, errors.Wrap(err, "could not create oidc provider")
@@ -47,16 +47,20 @@ func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*C
 		return nil, err
 	}
 
-	oauthConfig := &oauth2.Config{
-		ClientID:    config.ClientID,
-		RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()),
-		Endpoint:    provider.Endpoint(),
-		Scopes: []string{
+	if len(scopes) == 0 {
+		scopes = []string{
 			oidc.ScopeOpenID,
 			oidc.ScopeOfflineAccess,
 			"email",
 			"groups",
-		},
+		}
+	}
+
+	oauthConfig := &oauth2.Config{
+		ClientID:    config.ClientID,
+		RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()),
+		Endpoint:    provider.Endpoint(),
+		Scopes:      scopes,
 	}
 
 	oidcConfig := &oidc.Config{
diff --git a/oidc_cli/oidc_impl/token_getter.go b/oidc_cli/oidc_impl/token_getter.go
index a6bda730..20e0d369 100644
--- a/oidc_cli/oidc_impl/token_getter.go
+++ b/oidc_cli/oidc_impl/token_getter.go
@@ -17,7 +17,7 @@ const (
 
 // GetToken gets an oidc token.
 // It handles caching with a default cache and keyring storage.
-func GetToken(ctx context.Context, clientID string, issuerURL string, clientOptions ...client.Option) (*client.Token, error) {
+func GetToken(ctx context.Context, clientID string, issuerURL string, scopes []string, clientOptions ...client.Option) (*client.Token, error) {
 	fileLock, err := pidlock.NewLock(lockFilePath)
 	if err != nil {
 		return nil, errors.Wrap(err, "unable to create lock")
@@ -34,7 +34,7 @@ func GetToken(ctx context.Context, clientID string, issuerURL string, clientOpti
 		},
 	}
 
-	c, err := client.NewClient(ctx, conf, clientOptions...)
+	c, err := client.NewClient(ctx, conf, scopes, clientOptions...)
 	if err != nil {
 		return nil, errors.Wrap(err, "Unable to create client")
 	}