diff --git a/server/oauth2.go b/server/oauth2.go
index 3d9cfc8f..a7649b25 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -17,6 +17,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -524,6 +525,15 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
 		unrecognized  []string
 		invalidScopes []string
 	)
+
+	if len(client.DefaultScopes) > 0 {
+		for _, scope := range client.DefaultScopes {
+			if !slices.Contains(scopes, scope) {
+				scopes = append(scopes, scope)
+			}
+		}
+	}
+
 	hasOpenIDScope := false
 	for _, scope := range scopes {
 		switch scope {
diff --git a/storage/storage.go b/storage/storage.go
index 03883ef5..e2730a91 100644
--- a/storage/storage.go
+++ b/storage/storage.go
@@ -171,6 +171,9 @@ type Client struct {
 	// Name and LogoURL used when displaying this client to the end user.
 	Name    string `json:"name" yaml:"name"`
 	LogoURL string `json:"logoURL" yaml:"logoURL"`
+
+	// The set of OAuth2 scopes requested by default.
+	DefaultScopes []string `json:"defaultScopes" yaml:"defaultScopes"`
 }
 
 // Claims represents the ID Token claims supported by the server.