diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go
index 1d7e4688..9bce42bb 100644
--- a/oidc_cli/oidc_impl/client/client.go
+++ b/oidc_cli/oidc_impl/client/client.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc"
@@ -51,12 +52,7 @@ func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*C
 		ClientID:    config.ClientID,
 		RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()),
 		Endpoint:    provider.Endpoint(),
-		Scopes: []string{
-			oidc.ScopeOpenID,
-			oidc.ScopeOfflineAccess,
-			"email",
-			"groups",
-		},
+		Scopes:      []string{}, // add through the AddScope clientOption
 	}
 
 	oidcConfig := &oidc.Config{
@@ -184,15 +180,31 @@ func (c *Client) ValidateState(ourState []byte, otherState []byte) error {
 	}
 	return nil
 }
+func format_scopes(ctx context.Context, scopes []string) string {
+	// space-separated string:
+	// 	https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/#:~:text=with%20the%20service.-,scope,(optional),-Include%20one%20or
+
+	return strings.Join(scopes, "+")
+}
 
 // Exchange will exchange a token
 func (c *Client) Exchange(ctx context.Context, code string, codeVerifier string) (*oauth2.Token, error) {
+	params := []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("grant_type", "authorization_code"),
+		oauth2.SetAuthURLParam("code_verifier", codeVerifier),
+		oauth2.SetAuthURLParam("client_id", c.oauthConfig.ClientID),
+	}
+
+	if len(c.oauthConfig.Scopes) != 0 {
+		scope_str := format_scopes(ctx, c.oauthConfig.Scopes)
+		params = append(params, oauth2.SetAuthURLParam("scopes", scope_str))
+		logrus.Debugf("oauth scopes: %s", scope_str)
+	} else {
+		logrus.Debug("no scopes set")
+	}
 	token, err := c.oauthConfig.Exchange(
 		ctx,
 		code,
-		oauth2.SetAuthURLParam("grant_type", "authorization_code"),
-		oauth2.SetAuthURLParam("code_verifier", codeVerifier),
-		oauth2.SetAuthURLParam("client_id", c.oauthConfig.ClientID),
+		params...,
 	)
 	return token, errors.Wrap(err, "failed to exchange oauth token")
 }
@@ -221,7 +233,7 @@ func (c *Client) Authenticate(ctx context.Context) (*Token, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	logrus.Debugf("authenticate scopes: %+v", c.oauthConfig.Scopes)
 	c.server.Start(ctx, c, oauthMaterial)
 	fmt.Fprintf(os.Stderr, "Opening browser in order to authenticate with Okta, hold on a brief second...\n")
 	time.Sleep(2 * time.Second)
diff --git a/oidc_cli/oidc_impl/client/config_options.go b/oidc_cli/oidc_impl/client/config_options.go
index b0f89506..b48b3332 100644
--- a/oidc_cli/oidc_impl/client/config_options.go
+++ b/oidc_cli/oidc_impl/client/config_options.go
@@ -23,3 +23,18 @@ var SetOauth2AuthStyle = func(authStyle oauth2.AuthStyle) Option {
 		c.oauthConfig.Endpoint.AuthStyle = authStyle
 	}
 }
+
+// This Helper helps you customize the scopes you're sending. It will format the list of strings
+//
+//	example: https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/#:~:text=The%20authorization%20URL%20is%20usually%20in%20a%20format%20such%20as%3A
+var AddScope = func(scope string) Option {
+	return func(c *Client) {
+		c.oauthConfig.Scopes = append(c.oauthConfig.Scopes, scope)
+	}
+}
+
+var AddClientSecret = func(secret string) Option {
+	return func(c *Client) {
+		c.oauthConfig.ClientSecret = secret
+	}
+}