diff --git a/server/handlers.go b/server/handlers.go
index 02c1881b85e53ca5e95a31c47ba8d497366dcb38..ff9444fe6757208fc8632e240576b0ecfe6cb82b 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -537,7 +537,7 @@ func (s *Server) handleRefreshToken(w http.ResponseWriter, r *http.Request, clie
 
 	scopes := refresh.Scopes
 	if scope != "" {
-		requestedScopes := strings.Split(scope, " ")
+		requestedScopes := strings.Fields(scope)
 		var unauthorizedScopes []string
 
 		for _, s := range requestedScopes {
diff --git a/server/oauth2.go b/server/oauth2.go
index 61f6a923dca062b166bb78d6a7d28fadd00b2371..e8ace97d227ee9340bd790710402168a80e8f790 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -213,7 +213,7 @@ func parseAuthorizationRequest(s storage.Storage, supportedResponseTypes map[str
 		return &authErr{state, redirectURI, typ, fmt.Sprintf(format, a...)}
 	}
 
-	scopes := strings.Split(r.Form.Get("scope"), " ")
+	scopes := strings.Fields(r.Form.Get("scope"))
 
 	var (
 		unrecognized  []string
diff --git a/server/server_test.go b/server/server_test.go
index 13f46ac1145400dbbac931ac7e45ef302a1ca2ec..35bcf8a35fcb60c5b2e71cbaa0fa4f62b84e8e89 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -195,6 +195,34 @@ func TestOAuth2CodeFlow(t *testing.T) {
 				return nil
 			},
 		},
+		{
+			name: "refresh with extra spaces",
+			handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
+				v := url.Values{}
+				v.Add("client_id", clientID)
+				v.Add("client_secret", clientSecret)
+				v.Add("grant_type", "refresh_token")
+				v.Add("refresh_token", token.RefreshToken)
+
+				// go-oidc adds an additional space before scopes when refreshing.
+				// Since we support that client we choose to be more relaxed about
+				// scope parsing, disregarding extra whitespace.
+				v.Add("scope", " "+strings.Join(requestedScopes, " "))
+				resp, err := http.PostForm(p.TokenURL, v)
+				if err != nil {
+					return err
+				}
+				defer resp.Body.Close()
+				if resp.StatusCode != http.StatusOK {
+					dump, err := httputil.DumpResponse(resp, true)
+					if err != nil {
+						panic(err)
+					}
+					return fmt.Errorf("unexpected response: %s", dump)
+				}
+				return nil
+			},
+		},
 		{
 			name: "refresh with unauthorized scopes",
 			handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {