diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go
index 1998b72a..61ab7529 100644
--- a/internal/oidc/auth/auth_handler.go
+++ b/internal/oidc/auth/auth_handler.go
@@ -63,6 +63,9 @@ func NewHandler(
 		// at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite.
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess)
 
+		// Grant the Pinniped STS scope if requested.
+		oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted")
+
 		now := time.Now()
 		_, err = oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, &openid.DefaultSession{
 			Claims: &jwt.IDTokenClaims{
diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go
index 3c85ee4c..2cea6c2e 100644
--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/oidc/callback/callback_handler.go
@@ -71,9 +71,10 @@ func NewHandler(
 			return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
 		}
 
-		// Automatically grant the openid and offline_access scopes, but only if they were requested.
+		// Automatically grant the openid, offline_access, and Pinniped STS scopes, but only if they were requested.
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOpenID)
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess)
+		oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted")
 
 		token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens(
 			r.Context(),