diff --git a/kanidm_book/src/oauth2.md b/kanidm_book/src/oauth2.md
index 239a9c2fc..697b03dd6 100644
--- a/kanidm_book/src/oauth2.md
+++ b/kanidm_book/src/oauth2.md
@@ -188,13 +188,15 @@ or with an appropriate include.
     OIDCRedirectURI http://resource.example.com/protected/redirect_uri
     OIDCCryptoPassphrase <random password here>
     OIDCProviderMetadataURL https://kanidm.example.com/oauth2/openid/<resource server name>/.well-known/openid-configuration
-    OIDCScope "openid other_scopes"
+    OIDCScope "openid" 
     OIDCUserInfoTokenMethod authz_header
     OIDCClientID <resource server name>
     OIDCClientSecret <resource server password>
     OIDCPKCEMethod S256
     OIDCCookieSameSite On
 
+Other scopes can be added as required to the `OIDCScope` line, eg: `OIDCScope "openid scope2 scope3"`
+
 In the virtual host, to protect a location:
 
     <Location />
diff --git a/kanidmd/src/lib/core/https/oauth2.rs b/kanidmd/src/lib/core/https/oauth2.rs
index da10f69e9..11fb38503 100644
--- a/kanidmd/src/lib/core/https/oauth2.rs
+++ b/kanidmd/src/lib/core/https/oauth2.rs
@@ -241,6 +241,11 @@ async fn oauth2_authorise(
             Ok(tide::Response::new(tide::StatusCode::Unauthorized))
         }
         Err(e) => {
+            admin_error!(
+                "Unable to authorise - Error ID: {} error: {}",
+                &hvalue,
+                &e.to_string()
+            );
             redir_url
                 .query_pairs_mut()
                 .clear()