diff --git a/README.md b/README.md
index b4852dce..d69c76e5 100644
--- a/README.md
+++ b/README.md
@@ -176,7 +176,7 @@ OIDC Provider:
   --providers.oidc.issuer-url=                          Issuer URL [$PROVIDERS_OIDC_ISSUER_URL]
   --providers.oidc.client-id=                           Client ID [$PROVIDERS_OIDC_CLIENT_ID]
   --providers.oidc.client-secret=                       Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
-  --providers.oidc.scopes=                              Optional additional scopes to request [$PROVIDERS_OIDC_SCOPES]
+  --providers.oidc.scope=                               Scopes (default: openid, profile, email)  [$PROVIDERS_OIDC_SCOPE]
   --providers.oidc.resource=                            Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
 
 Generic OAuth2 Provider:
diff --git a/internal/provider/oidc.go b/internal/provider/oidc.go
index a237ade1..8c4fb6d6 100644
--- a/internal/provider/oidc.go
+++ b/internal/provider/oidc.go
@@ -3,7 +3,6 @@ package provider
 import (
 	"context"
 	"errors"
-	"strings"
 
 	"github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
@@ -11,10 +10,10 @@ import (
 
 // OIDC provider
 type OIDC struct {
-	IssuerURL        string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
-	ClientID         string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
-	ClientSecret     string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
-	AdditionalScopes string `long:"additional-scopes" env:"ADDITIONAL_SCOPES" description:"Additional Scopes"`
+	IssuerURL    string   `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
+	ClientID     string   `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
+	ClientSecret string   `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	Scopes       []string `long:"scope" env:"SCOPE" env-delim:"," default:"openid" default:"profile" default:"email" description:"Scopes"`
 
 	OAuthProvider
 
@@ -48,14 +47,9 @@ func (o *OIDC) Setup() error {
 		ClientID:     o.ClientID,
 		ClientSecret: o.ClientSecret,
 		Endpoint:     o.provider.Endpoint(),
-
-		// "openid" is a required scope for OpenID Connect flows.
-		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+		Scopes:       o.Scopes,
 	}
 
-	additionalScopes := strings.Split(o.AdditionalScopes, ",")
-	o.Config.Scopes = append(o.Config.Scopes, additionalScopes...)
-
 	// Create OIDC verifier
 	o.verifier = o.provider.Verifier(&oidc.Config{
 		ClientID: o.ClientID,
diff --git a/internal/provider/oidc_test.go b/internal/provider/oidc_test.go
index 8b7c9340..6fae9d7e 100644
--- a/internal/provider/oidc_test.go
+++ b/internal/provider/oidc_test.go
@@ -152,10 +152,10 @@ func setupOIDCTest(t *testing.T, bodyValues map[string]map[string]string) (*OIDC
 
 	// Setup provider
 	p := OIDC{
-		ClientID:         "idtest",
-		ClientSecret:     "sectest",
-		IssuerURL:        serverURL.String(),
-		AdditionalScopes: "groups",
+		ClientID:     "idtest",
+		ClientSecret: "sectest",
+		IssuerURL:    serverURL.String(),
+		Scopes:       []string{"openid profile email groups"},
 	}
 
 	// Initialise config/verifier