diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,62 +1,58 @@
-0.2.3.0
-=======
+# 0.2.3.1
 
-* Support `hoauth2-1.11.0`
-* Drop support for `jose` versions < 0.8
-* Expose `decodeKey`
-* OAuth2 provider remove a session when an access token expires. It will use a
+- Expose `discoverURI` in `Network.Wai.Middleware.Auth.OIDC`
+- Fix bug with OAuth2 and OpenID Connect authentication where scopes were
+  separated using comma's instead of spaces.
+
+  # 0.2.3.0
+
+- Support `hoauth2-1.11.0`
+- Drop support for `jose` versions < 0.8
+- Expose `decodeKey`
+- OAuth2 provider remove a session when an access token expires. It will use a
   refresh token if one is available to create a new session. If no refresh token
   is available it will redirect the user to re-authenticate.
-* Providers can define logic for refreshing a session without user intervention.
-* Add an OpenID Connect provider.
+- Providers can define logic for refreshing a session without user intervention.
+- Add an OpenID Connect provider.
 
-0.2.2.0
-=======
+  # 0.2.2.0
 
-* Add request logging to executable
-* Newer multistage Docker build system
+- Add request logging to executable
+- Newer multistage Docker build system
 
-0.2.1.0
-=======
+  # 0.2.1.0
 
-* Fix a bug in deserialization of `UserIdentity`
+- Fix a bug in deserialization of `UserIdentity`
 
-0.2.0.0
-=======
+  # 0.2.0.0
 
-* Drop compatiblity with hoauth2 versions <= 1.0.0.
-* Add a function for getting the oauth2 token from an authenticated request.
-* Modify encoding of oauth2 session cookies. As a consequence existing cookies will be invalid.
+- Drop compatiblity with hoauth2 versions <= 1.0.0.
+- Add a function for getting the oauth2 token from an authenticated request.
+- Modify encoding of oauth2 session cookies. As a consequence existing cookies will be invalid.
 
-0.1.2.1
-=======
+  # 0.1.2.1
 
-* Compatibility with hoauth2-1.3.0 - fixed: [#4](https://github.com/fpco/wai-middleware-auth/issues/4)
+- Compatibility with hoauth2-1.3.0 - fixed: [#4](https://github.com/fpco/wai-middleware-auth/issues/4)
 
-0.1.2.0
-=======
+  # 0.1.2.0
 
-* Implemented compatibility with hoauth2 >= 1.0.0 - fixed: [#3](https://github.com/fpco/wai-middleware-auth/issues/3)
+- Implemented compatibility with hoauth2 >= 1.0.0 - fixed: [#3](https://github.com/fpco/wai-middleware-auth/issues/3)
 
-0.1.1.2
-=======
+  # 0.1.1.2
 
-* Fixed [wai-middleware-auth-0.1.1.1 does not compile in 32 bit Linux](https://github.com/fpco/wai-middleware-auth/issues/2)
+- Fixed [wai-middleware-auth-0.1.1.1 does not compile in 32 bit Linux](https://github.com/fpco/wai-middleware-auth/issues/2)
 
-0.1.1.1
-=======
+  # 0.1.1.1
 
-* Disallow empty `userIdentity` to produce a successfull login.
-* Produces a 404 on `/favicon.ico` page if not logged in: work around for issue
+- Disallow empty `userIdentity` to produce a successfull login.
+- Produces a 404 on `/favicon.ico` page if not logged in: work around for issue
   with Chrome requesting it first and messing up the redirect url.
-* Added JQuery to the template, since it's bootstrap's requirement.
+- Added JQuery to the template, since it's bootstrap's requirement.
 
-0.1.1.0
-=======
+  # 0.1.1.0
 
-* Fixed whitelist email regex matching for Github and Google auth.
+- Fixed whitelist email regex matching for Github and Google auth.
 
-0.1.0.0
-=======
+  # 0.1.0.0
 
-* Initial implementation.
+- Initial implementation.
diff --git a/src/Network/Wai/Auth/Internal.hs b/src/Network/Wai/Auth/Internal.hs
--- a/src/Network/Wai/Auth/Internal.hs
+++ b/src/Network/Wai/Auth/Internal.hs
@@ -76,7 +76,8 @@
 oauth2Login oauth2 man oa2Scope providerName req suffix onSuccess onFailure = 
   case suffix of
     [] -> do
-      let scope = (encodeUtf8 . T.intercalate ",") <$> oa2Scope
+      -- https://tools.ietf.org/html/rfc6749#section-3.3
+      let scope = (encodeUtf8 . T.intercalate " ") <$> oa2Scope
       let redirectUrl =
             getRedirectURI $
             appendQueryParams
diff --git a/src/Network/Wai/Middleware/Auth/OIDC.hs b/src/Network/Wai/Middleware/Auth/OIDC.hs
--- a/src/Network/Wai/Middleware/Auth/OIDC.hs
+++ b/src/Network/Wai/Middleware/Auth/OIDC.hs
@@ -11,6 +11,7 @@
   ( -- * Creating a provider
     OpenIDConnect
   , discover
+  , discoverURI
   -- * Customizing a provider
   , oidcClientId
   , oidcClientSecret
@@ -165,13 +166,21 @@
           Just claims -> 
             pure (Just (storeClaims claims req, user))
 
--- | Fetch configuration for a provider from its discovery endpoint.
+-- | Fetch configuration for a provider from its discovery
+-- endpoint. Sets the path to @/.well-known/..@.
 --
 -- @since 0.2.3.0
 discover :: T.Text -> IO OpenIDConnect
 discover urlText = do
   base <- parseAbsoluteURI urlText
   let uri = base { U.uriPath = "/.well-known/openid-configuration" }
+  discoverURI uri
+
+-- | Fetch configuration for a provider from an exact URI.
+--
+-- @since 0.2.3.1
+discoverURI :: U.URI -> IO OpenIDConnect
+discoverURI uri = do
   metadata <- fetchMetadata uri
   jwkset <- fetchJWKSet (jwksUri metadata)
   pure OpenIDConnect 
diff --git a/test/Spec/Network/Wai/Middleware/Auth/OAuth2.hs b/test/Spec/Network/Wai/Middleware/Auth/OAuth2.hs
--- a/test/Spec/Network/Wai/Middleware/Auth/OAuth2.hs
+++ b/test/Spec/Network/Wai/Middleware/Auth/OAuth2.hs
@@ -42,7 +42,7 @@
         assertStatus 303 redirect3
         assertHeader
           "location"
-          (TE.encodeUtf8 host <> "/authorize?scope=scope1%2Cscope2&client_id=client-id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fprefix%2Foauth2%2Fcomplete")
+          (TE.encodeUtf8 host <> "/authorize?scope=scope1%20scope2&client_id=client-id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fprefix%2Foauth2%2Fcomplete")
           redirect3
 
   , testCase "when a request is made with a valid session then pass the request through" $
diff --git a/test/Spec/Network/Wai/Middleware/Auth/OIDC.hs b/test/Spec/Network/Wai/Middleware/Auth/OIDC.hs
--- a/test/Spec/Network/Wai/Middleware/Auth/OIDC.hs
+++ b/test/Spec/Network/Wai/Middleware/Auth/OIDC.hs
@@ -43,7 +43,7 @@
         assertStatus 303 redirect3
         assertHeader
           "location"
-          (TE.encodeUtf8 host <> "/authorize?scope=openid%2Cscope1&client_id=client-id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fprefix%2Foidc%2Fcomplete")
+          (TE.encodeUtf8 host <> "/authorize?scope=openid%20scope1&client_id=client-id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fprefix%2Foidc%2Fcomplete")
           redirect3
 
   , testCase "when a request is made with a valid session then pass the request through" $
diff --git a/wai-middleware-auth.cabal b/wai-middleware-auth.cabal
--- a/wai-middleware-auth.cabal
+++ b/wai-middleware-auth.cabal
@@ -1,6 +1,6 @@
 cabal-version:       1.18
 name:                wai-middleware-auth
-version:             0.2.3.0
+version:             0.2.3.1
 synopsis:            Authentication middleware that secures WAI application
 description:         Please see the README and Haddocks at <https://www.stackage.org/package/wai-middleware-auth>
 license:             MIT
