diff --git a/lib/Event/InternalTokenRequestedEvent.php b/lib/Event/InternalTokenRequestedEvent.php
index 394d8f5f..02730985 100644
--- a/lib/Event/InternalTokenRequestedEvent.php
+++ b/lib/Event/InternalTokenRequestedEvent.php
@@ -20,6 +20,8 @@ class InternalTokenRequestedEvent extends Event {
 
 	public function __construct(
 		private string $targetAudience,
+		private array $extraScopes = [],
+		private string $resource = '',
 	) {
 		parent::__construct();
 	}
@@ -32,6 +34,14 @@ public function setTargetAudience(string $targetAudience): void {
 		$this->targetAudience = $targetAudience;
 	}
 
+	public function getExtraScopes(): array {
+		return $this->extraScopes;
+	}
+
+	public function getResource(): string {
+		return $this->resource;
+	}
+
 	public function getToken(): ?Token {
 		return $this->token;
 	}
diff --git a/lib/Listener/InternalTokenRequestedListener.php b/lib/Listener/InternalTokenRequestedListener.php
index 159b9466..c80453a0 100644
--- a/lib/Listener/InternalTokenRequestedListener.php
+++ b/lib/Listener/InternalTokenRequestedListener.php
@@ -37,12 +37,14 @@ public function handle(Event $event): void {
 		}
 
 		$targetAudience = $event->getTargetAudience();
+		$extraScopes = $event->getExtraScopes();
+		$resource = $event->getResource();
 		$this->logger->debug('[InternalTokenRequestedListener] received request for audience: ' . $targetAudience);
 
 		// generate a token pair with the Oidc provider app
 		$userId = $this->userSession->getUser()?->getUID();
 		if ($userId !== null) {
-			$ncProviderToken = $this->tokenService->getTokenFromOidcProviderApp($userId, $targetAudience);
+			$ncProviderToken = $this->tokenService->getTokenFromOidcProviderApp($userId, $targetAudience, $extraScopes, $resource);
 			if ($ncProviderToken !== null) {
 				$event->setToken($ncProviderToken);
 			}
diff --git a/lib/Service/TokenService.php b/lib/Service/TokenService.php
index b16ac609..d8906ed7 100644
--- a/lib/Service/TokenService.php
+++ b/lib/Service/TokenService.php
@@ -321,7 +321,7 @@ public function getExchangedToken(string $targetAudience): Token {
 	 * @param string $targetAudience
 	 * @return Token|null
 	 */
-	public function getTokenFromOidcProviderApp(string $userId, string $targetAudience): ?Token {
+	public function getTokenFromOidcProviderApp(string $userId, string $targetAudience, array $extraScopes = [], string $resource = ''): ?Token {
 		if (!class_exists(\OCA\OIDCIdentityProvider\AppInfo\Application::class)) {
 			$this->logger->warning('[TokenService] Failed to get token from Oidc provider app, oidc app is not installed');
 			return null;
@@ -336,7 +336,8 @@ public function getTokenFromOidcProviderApp(string $userId, string $targetAudien
 		}
 
 		try {
-			$generationEvent = new \OCA\OIDCIdentityProvider\Event\TokenGenerationRequestEvent($targetAudience, $userId);
+			$scope = implode(' ', $extraScopes);
+			$generationEvent = new \OCA\OIDCIdentityProvider\Event\TokenGenerationRequestEvent($targetAudience, $userId, $scope, $resource);
 			$this->eventDispatcher->dispatchTyped($generationEvent);
 			if ($generationEvent->getAccessToken() === null || $generationEvent->getIdToken() === null) {
 				$this->logger->debug('[TokenService] The Oidc provider app did not generate any access/id token');