diff --git a/handlers.go b/handlers.go
index 1cd7b72..0e73885 100644
--- a/handlers.go
+++ b/handlers.go
@@ -295,10 +295,13 @@ func (m *MockOIDC) setTokens(tr *tokenResponse, s *Session, grantType string) er
 	if err != nil {
 		return err
 	}
-	if len(s.Scopes) > 0 && s.Scopes[0] == openidScope {
-		tr.IDToken, err = s.IDToken(m.Config(), m.Keypair, m.Now())
-		if err != nil {
-			return err
+	for _, scope := range s.Scopes {
+		if scope == openidScope {
+			tr.IDToken, err = s.IDToken(m.Config(), m.Keypair, m.Now())
+			if err != nil {
+				return err
+			}
+			break
 		}
 	}
 	if grantType != "refresh_token" {
diff --git a/handlers_test.go b/handlers_test.go
index 0e9e31c..5aa7c6d 100644
--- a/handlers_test.go
+++ b/handlers_test.go
@@ -71,8 +71,11 @@ func TestMockOIDC_Token_CodeGrant(t *testing.T) {
 	m, err := mockoidc.NewServer(nil)
 	assert.NoError(t, err)
 
+	// Note: we're setting openid to the end of the scope list to test
+	// that ordering is not considered when checking for "openid" in the
+	// list
 	session, _ := m.SessionStore.NewSession(
-		"openid email profile", "nonce", mockoidc.DefaultUser(), "", "")
+		"email profile openid", "nonce", mockoidc.DefaultUser(), "", "")
 
 	assert.HTTPError(t, m.Token, http.MethodPost, mockoidc.TokenEndpoint, nil)