diff --git a/api/common/oidc_types.go b/api/common/oidc_types.go
index 9abc717..4bd4bf7 100644
--- a/api/common/oidc_types.go
+++ b/api/common/oidc_types.go
@@ -44,6 +44,10 @@ type OIDCProviderConfig struct {
 	// +kubebuilder:validation:MinLength=1
 	UsernamePrefix string `json:"usernamePrefix"`
 
+	// ExtraScopes is a list of extra scopes that should be requested from the OIDC provider.
+	// +optional
+	ExtraScopes []string `json:"extraScopes,omitempty"`
+
 	// RoleBindings is a list of subjects with (cluster) role bindings that should be created for them.
 	// Note that the username prefix is added automatically to the subjects' names, it must not be explicitly specified here.
 	RoleBindings []RoleBindings `json:"roleBindings"`
diff --git a/api/common/zz_generated.deepcopy.go b/api/common/zz_generated.deepcopy.go
index 89d22cf..c9e7bf6 100644
--- a/api/common/zz_generated.deepcopy.go
+++ b/api/common/zz_generated.deepcopy.go
@@ -43,6 +43,11 @@ func (in *LocalSecretReference) DeepCopy() *LocalSecretReference {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
 	*out = *in
+	if in.ExtraScopes != nil {
+		in, out := &in.ExtraScopes, &out.ExtraScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.RoleBindings != nil {
 		in, out := &in.RoleBindings, &out.RoleBindings
 		*out = make([]RoleBindings, len(*in))
diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
index 6a688ba..fc79718 100644
--- a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
+++ b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
@@ -75,6 +75,12 @@ spec:
                   clientID:
                     description: ClientID is the client ID to use for the OIDC provider.
                     type: string
+                  extraScopes:
+                    description: ExtraScopes is a list of extra scopes that should
+                      be requested from the OIDC provider.
+                    items:
+                      type: string
+                    type: array
                   groupsClaim:
                     default: groups
                     description: |-
diff --git a/api/crds/manifests/core.openmcp.cloud_managedcontrolplanes.yaml b/api/crds/manifests/core.openmcp.cloud_managedcontrolplanes.yaml
index d706659..8615715 100644
--- a/api/crds/manifests/core.openmcp.cloud_managedcontrolplanes.yaml
+++ b/api/crds/manifests/core.openmcp.cloud_managedcontrolplanes.yaml
@@ -59,6 +59,12 @@ spec:
                           description: ClientID is the client ID to use for the OIDC
                             provider.
                           type: string
+                        extraScopes:
+                          description: ExtraScopes is a list of extra scopes that
+                            should be requested from the OIDC provider.
+                          items:
+                            type: string
+                          type: array
                         groupsClaim:
                           default: groups
                           description: |-