diff --git a/Documentation/connectors/openshift.md b/Documentation/connectors/openshift.md
index c96508464e96d63144f990e8c5eabe1c76bdbe94..bd3df40d7325df98f500b5aa7090437c72ddb860 100644
--- a/Documentation/connectors/openshift.md
+++ b/Documentation/connectors/openshift.md
@@ -6,9 +6,37 @@ Dex can make use of users and groups defined within OpenShift by querying the pl
 
 ## Configuration
 
-Create a new OAuth Client by following the steps described in the documentation for [Registering Additional OAuth Clients](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth)
 
-This involves creating a resource similar the following
+### Creating an OAuth Client
+
+Two forms of OAuth Clients can be utilized:
+
+* [Using a Service Account as an OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/using-service-accounts-as-oauth-client.html) (Recommended)
+* [Registering An Additional OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth)
+
+#### Using a Service Account as an OAuth Client
+
+OpenShift Service Accounts can be used as a constrained form of OAuth client. Making use of a Service Account to represent an OAuth Client is the recommended option as it does not require elevated privileged within the OpenShift cluster. Create a new Service Account or make use of an existing Service Account.
+
+Patch the Service Account to add an annotation for location of the Redirect URI
+
+```
+oc patch serviceaccount <name> --type='json' -p='[{"op": "add", "path": "/metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.dex", "value":"https:///<dex_url>/callback"}]'
+```
+
+The Client ID for a Service Account representing an OAuth Client takes the form `
+
+The Client Secret for a Service Account representing an OAuth Client is the long lived OAuth Token that is configued for the Service Account. Execute the following command to retrieve the OAuth Token.
+
+```
+oc serviceaccounts get-token <name>
+```
+
+#### Registering An Additional OAuth Client
+
+Instead of using a constrained form of Service Account to represent an OAuth Client, an additional OAuthClient resource can be created.
+
+Create a new OAuthClient resource similar to the following:
 
 ```yaml
 kind: OAuthClient
@@ -23,6 +51,8 @@ redirectURIs:
 grantMethod: prompt
 ```
 
+### Dex Configuration
+
 The following is an example of a configuration for `examples/config-dev.yaml`:
 
 ```yaml
@@ -46,5 +76,4 @@ connectors:
       # Optional list of required groups a user mmust be a member of
       groups:
         - users
-
 ```
diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go
index f3eb53dce9d422e214cbae7f07e031510898f913..e19746941b696458c835b6627f8b15b2343e061d 100644
--- a/connector/openshift/openshift.go
+++ b/connector/openshift/openshift.go
@@ -109,7 +109,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		Endpoint: oauth2.Endpoint{
 			AuthURL: metadata.Auth, TokenURL: metadata.Token,
 		},
-		Scopes:      []string{"user:info", "user:check-access", "user:full"},
+		Scopes:      []string{"user:info"},
 		RedirectURL: c.RedirectURI,
 	}
 	return &openshiftConnector, nil
@@ -168,7 +168,7 @@ func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request)
 	validGroups := validateRequiredGroups(user.Groups, c.groups)
 
 	if !validGroups {
-		return identity, fmt.Errorf("openshift: user %q is not in any of the required teams", user.Name)
+		return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
 	}
 
 	identity = connector.Identity{