diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md
index ddcb026..f0745a7 100644
--- a/Enabling-SSO-support-using-OpenId-Connect.md
+++ b/Enabling-SSO-support-using-OpenId-Connect.md
@@ -18,7 +18,7 @@ The following configurations are available
   - The URL must not include the `/.well-known/openid-configuration`
   - `${SSO_AUTHORITY}/.well-known/openid-configuration` must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an [HTTP status code 200 OK](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse:~:text=A%20successful%20response%20MUST%20use%20the%20200%20OK%20HTTP%20status%20code)!)
   - `SSO_AUTHORITY` has to match the exact value of the `issuer` field that is returned by that JSON (so take the `issuer` value of the file if you are unsure whether to include a trailing slash or not).
-- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `profile email`)
+- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `profile email`, `openid` is implicit)
 - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
 - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).
 - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.