diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go
index 76600470..69ee1dfa 100644
--- a/internal/oidc/oidc.go
+++ b/internal/oidc/oidc.go
@@ -199,12 +199,20 @@ func FositeOauth2Helper(
 		AccessTokenLifespan:   timeoutsConfiguration.AccessTokenLifespan,
 		RefreshTokenLifespan:  timeoutsConfiguration.RefreshTokenLifespan,
 
-		ScopeStrategy:            fosite.ExactScopeStrategy,
-		AudienceMatchingStrategy: nil,
-		EnforcePKCE:              true,
-		AllowedPromptValues:      []string{"none"},                        // TODO unclear what we should set here
-		RefreshTokenScopes:       []string{coreosoidc.ScopeOfflineAccess}, // as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-		MinParameterEntropy:      32,                                      // TODO is 256 bits too high?
+		ScopeStrategy: fosite.ExactScopeStrategy,
+		EnforcePKCE:   true,
+
+		// "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+		RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess},
+
+		// The default is to support all prompt values from the spec.
+		// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+		// We'll make a best effort to support these by passing the value of this prompt param to the upstream IDP
+		// and rely on its implementation of this param.
+		AllowedPromptValues: nil,
+
+		// Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor.
+		MinParameterEntropy: fosite.MinParameterEntropy,
 	}
 
 	return compose.Compose(