diff --git a/jupyterhub/spawner.py b/jupyterhub/spawner.py
index 1526c2b4..988533a3 100644
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -329,10 +329,13 @@ class Spawner(LoggingConfigurable):
 
         Default is an empty list, meaning minimal permissions to identify users,
         no actions can be taken on their behalf.
+
+        If callable, will be called with the Spawner as a single argument.
+        Callables may be async.
     """,
     ).tag(config=True)
 
-    def _get_oauth_client_allowed_scopes(self):
+    async def _get_oauth_client_allowed_scopes(self):
         """Private method: get oauth allowed scopes
 
         Handle:
@@ -351,6 +354,8 @@ class Spawner(LoggingConfigurable):
             allowed_scopes = self.oauth_client_allowed_scopes
             if callable(allowed_scopes):
                 allowed_scopes = allowed_scopes(self)
+                if inspect.isawaitable(allowed_scopes):
+                    allowed_scopes = await allowed_scopes
             scopes.extend(allowed_scopes)
 
         if self.oauth_roles:
diff --git a/jupyterhub/user.py b/jupyterhub/user.py
index 4b1397f8..9b366078 100644
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -666,11 +666,12 @@ class User:
         client_id = spawner.oauth_client_id
         oauth_provider = self.settings.get('oauth_provider')
         if oauth_provider:
+            allowed_scopes = await spawner._get_oauth_client_allowed_scopes()
             oauth_client = oauth_provider.add_client(
                 client_id,
                 api_token,
                 url_path_join(self.url, url_escape_path(server_name), 'oauth_callback'),
-                allowed_scopes=spawner._get_oauth_client_allowed_scopes(),
+                allowed_scopes=allowed_scopes,
                 description="Server at %s"
                 % (url_path_join(self.base_url, server_name) + '/'),
             )