diff --git a/crates/config/src/sections/upstream_oauth2.rs b/crates/config/src/sections/upstream_oauth2.rs
index cf02aaa15..aa6a27254 100644
--- a/crates/config/src/sections/upstream_oauth2.rs
+++ b/crates/config/src/sections/upstream_oauth2.rs
@@ -400,6 +400,14 @@ pub struct SignInWithApple {
     pub key_id: String,
 }
 
+fn default_scope() -> String {
+    "openid".to_owned()
+}
+
+fn is_default_scope(scope: &str) -> bool {
+    scope == default_scope()
+}
+
 /// Configuration for one upstream OAuth 2 provider.
 #[skip_serializing_none]
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
@@ -495,6 +503,9 @@ pub struct Provider {
     pub id_token_signed_response_alg: JsonWebSignatureAlg,
 
     /// The scopes to request from the provider
+    ///
+    /// Defaults to `openid`.
+    #[serde(default = "default_scope", skip_serializing_if = "is_default_scope")]
     pub scope: String,
 
     /// How to discover the provider's configuration
diff --git a/docs/config.schema.json b/docs/config.schema.json
index 06fa0e768..def447302 100644
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -1974,7 +1974,6 @@
       "required": [
         "client_id",
         "id",
-        "scope",
         "token_endpoint_auth_method"
       ],
       "properties": {
@@ -2044,7 +2043,7 @@
           ]
         },
         "scope": {
-          "description": "The scopes to request from the provider",
+          "description": "The scopes to request from the provider\n\nDefaults to `openid`.",
           "type": "string"
         },
         "discovery_mode": {