diff --git a/contrib/submit_build.py b/contrib/submit_build.py
index ea9cfd83..e8660ca4 100644
--- a/contrib/submit_build.py
+++ b/contrib/submit_build.py
@@ -78,9 +78,8 @@ if not token:
         'nonce': random.randint(100, 10000),
         'scope': ' '.join([
             'openid',
-            'profile',
-            'email',
             'https://id.fedoraproject.org/scope/groups',
+            'https://mbs.fedoraproject.org/oidc/submit-build',
         ]),
         'client_id': 'mbs-authorizer',
     }) + "&redirect_uri=http://localhost:13747/"
diff --git a/module_build_service/auth.py b/module_build_service/auth.py
index 144df004..6d657256 100644
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -102,6 +102,17 @@ def get_user(request):
     if not "active" in data or not data["active"]:
         raise Unauthorized("OIDC token invalid or expired.")
 
+    presented_scopes = data['scope'].split(' ')
+    required_scopes = [
+        'openid',
+        'https://id.fedoraproject.org/scope/groups',
+        'https://mbs.fedoraproject.org/oidc/submit-build',
+    ]
+    for scope in required_scopes:
+        if scope not in presented_scopes:
+            raise Unauthorized("Required OIDC scope %r not present: %r" % (
+                scope, presented_scopes))
+
     try:
         extended_data = _get_user_info(token)
     except Exception as e: