diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
index 8146a2d2..d035001b 100644
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -190,6 +190,10 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
 
         // THe user approved the client, redirect them back with an auth code
         if ($userHasApprovedClient === true) {
+
+            // Finalize the requested scopes
+            $scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
+
             $authCode = $this->issueAuthCode(
                 $this->authCodeTTL,
                 $client,
diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php
index 1b15defd..3c1db5e0 100644
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -30,6 +30,9 @@ class ClientCredentialsGrant extends AbstractGrant
         $client = $this->validateClient($request);
         $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
 
+        // Finalize the requested scopes
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $client);
+
         // Issue and persist access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
 
diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php
index c6a578e8..076cd582 100644
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -189,6 +189,10 @@ class ImplicitGrant extends AbstractAuthorizeGrant
 
         // THe user approved the client, redirect them back with an access token
         if ($userHasApprovedClient === true) {
+
+            // Finalize the requested scopes
+            $scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
+
             $accessToken = $this->issueAccessToken(
                 $accessTokenTTL,
                 $client,
diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php
index fb6d07f6..a6a53e4f 100644
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -51,7 +51,10 @@ class PasswordGrant extends AbstractGrant
         // Validate request
         $client = $this->validateClient($request);
         $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
-        $user = $this->validateUser($request, $client, $scopes);
+        $user = $this->validateUser($request, $client);
+
+        // Finalize the requested scopes
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $user->getIdentifier());
 
         // Issue and persist new tokens
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
@@ -67,13 +70,12 @@ class PasswordGrant extends AbstractGrant
     /**
      * @param \Psr\Http\Message\ServerRequestInterface                        $request
      * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
-     * @param ScopeEntityInterface[]                                          $scopes
      *
      * @throws \League\OAuth2\Server\Exception\OAuthServerException
      *
      * @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
      */
-    protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client, array &$scopes)
+    protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
     {
         $username = $this->getRequestParameter('username', $request);
         if (is_null($username)) {
@@ -89,8 +91,7 @@ class PasswordGrant extends AbstractGrant
             $username,
             $password,
             $this->getIdentifier(),
-            $client,
-            $scopes
+            $client
         );
         if (!$user instanceof UserEntityInterface) {
             $this->getEmitter()->emit(new RequestEvent('user.authentication.failed', $request));
diff --git a/src/Repositories/ScopeRepositoryInterface.php b/src/Repositories/ScopeRepositoryInterface.php
index 5ac9aff8..5b44c615 100644
--- a/src/Repositories/ScopeRepositoryInterface.php
+++ b/src/Repositories/ScopeRepositoryInterface.php
@@ -10,6 +10,9 @@
  */
 namespace League\OAuth2\Server\Repositories;
 
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+
 /**
  * Scope interface.
  */
@@ -25,4 +28,16 @@ interface ScopeRepositoryInterface extends RepositoryInterface
      * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
      */
     public function getScopeEntityByIdentifier($identifier, $grantType, $clientId = null);
+
+    /**
+     * Given a client and user validate the set of scopes requested are valid and optionally
+     * append additional scopes or remove requested scopes.
+     *
+     * @param ScopeEntityInterface[]                                          $scopes
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
+     * @param null|string                                                     $userIdentifier
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
+     */
+    public function finalizeScopes(array $scopes = [], ClientEntityInterface $clientEntity, $userIdentifier = null);
 }