diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py
index 7a125d318a..8ee1694192 100644
--- a/images/hub/jupyterhub_config.py
+++ b/images/hub/jupyterhub_config.py
@@ -139,7 +139,6 @@
     org_whitelist = get_config('auth.github.org_whitelist', [])
     if len(org_whitelist) != 0:
         c.GitHubOAuthenticator.github_organization_whitelist = org_whitelist
-        c.GitHubOAuthenticator.scope = ['read:org'] # required for private membership
 elif auth_type == 'cilogon':
     c.JupyterHub.authenticator_class = 'oauthenticator.CILogonOAuthenticator'
     c.CILogonOAuthenticator.oauth_callback_url = get_config('auth.cilogon.callback-url')
@@ -186,6 +185,10 @@
 else:
     raise ValueError("Unhandled auth type: %r" % auth_type)
 
+auth_scopes = get_config('auth.scopes')
+if auth_scopes:
+    c.OAuthenticator.scope = auth_scopes
+
 c.Authenticator.enable_auth_state = get_config('auth.state.enabled', False)
 
 def generate_user_email(spawner):
diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml
index f15bb03ff8..66684f63c3 100644
--- a/jupyterhub/templates/hub/configmap.yaml
+++ b/jupyterhub/templates/hub/configmap.yaml
@@ -71,6 +71,11 @@ data:
   auth.custom.config : {{ toJson .Values.auth.custom.config | quote }}
   {{- end }}
 
+  {{ if .Values.auth.scopes -}}
+  auth.scopes: |
+{{ toYaml .Values.auth.scopes | indent 4}}
+  {{- end }}
+
   auth.state.enabled: {{ .Values.auth.state.enabled | quote }}
 
   {{ if .Values.singleuser.lifecycleHooks -}}