diff --git a/aleksis/core/models.py b/aleksis/core/models.py
index 279a6fc798b5829fecac5dd09e2287c50ebc816a..ce2c5bb39b8886681dab3d5e1bdae4509f103fe8 100644
--- a/aleksis/core/models.py
+++ b/aleksis/core/models.py
@@ -30,6 +30,7 @@ from django_celery_results.models import TaskResult
 from dynamic_preferences.models import PerInstancePreferenceModel
 from model_utils import FieldTracker
 from model_utils.models import TimeStampedModel
+from multiselectfield import MultiSelectField
 from oauth2_provider.models import (
     AbstractAccessToken,
     AbstractApplication,
@@ -58,6 +59,7 @@ from .mixins import (
     SchoolTermRelatedExtensibleModel,
 )
 from .tasks import send_notification
+from .util.auth_helpers import AppScopes
 from .util.core_helpers import get_site_preferences, now_tomorrow
 from .util.model_helpers import ICONS
 
@@ -1112,6 +1114,9 @@ class OAuthApplication(AbstractApplication):
         max_length=32, choices=AbstractApplication.GRANT_TYPES, blank=True, null=True
     )
 
+    # Optional list of alloewd scopes
+    allowed_scopes = MultiSelectField(choices=list(AppScopes().get_all_scopes().items()))
+
     def allows_grant_type(self, *grant_types: set[str]) -> bool:
         allowed_grants = get_site_preferences()["auth__oauth_allowed_grants"]
 
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index e507996992e87605adbf170d065ec378f26ab055..83365a514f357dc86632a0d7faeb429f197dc9ad 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -1080,7 +1080,13 @@ class OAuth2Update(PermissionRequiredMixin, UpdateView):
         """Return the form class for the application model."""
         return modelform_factory(
             OAuthApplication,
-            fields=("name", "client_id", "client_secret", "client_type", "redirect_uris",),
+            fields=(
+                "name",
+                "client_id",
+                "client_secret",
+                "client_type",
+                "allowed_scopes",
+                "redirect_uris",),
         )