diff --git a/docker/README.md b/docker/README.md
index 7833fbaf38..35781fcb84 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -19,6 +19,7 @@ docker run \
     -e TEMPORAL_AUTH_CLIENT_ID=xxxxx-xxxx.apps.googleusercontent.com \
     -e TEMPORAL_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxx \
     -e TEMPORAL_AUTH_CALLBACK_URL=https://xxxx.com:8080/auth/sso/callback \
+    -e TEMPORAL_AUTH_SCOPES=openid,email,profile \
     -e TEMPORAL_TLS_CA=../ca.cert \
     -e TEMPORAL_TLS_CERT=../cluster.pem \
     -e TEMPORAL_TLS_KEY=../cluster.key \
diff --git a/docker/config_template.yaml b/docker/config_template.yaml
index 3541b85679..120ef1a525 100644
--- a/docker/config_template.yaml
+++ b/docker/config_template.yaml
@@ -33,16 +33,10 @@ auth:
     clientId: {{ .Env.TEMPORAL_AUTH_CLIENT_ID }}
     clientSecret: {{ .Env.TEMPORAL_AUTH_CLIENT_SECRET }}
     callbackUrl: {{ .Env.TEMPORAL_AUTH_CALLBACK_URL }}
-    scopes:
-      - openid
-      - profile
-      - email
+    scopes: {{ if .Env.TEMPORAL_AUTH_SCOPES }} {{ range $seed := (split .Env.TEMPORAL_AUTH_SCOPES ",") }}
+      - {{ . }} {{ end }} {{ end }}
 codec:
   endpoint: {{ default .Env.TEMPORAL_CODEC_ENDPOINT "" }}
   passAccessToken: {{ default .Env.TEMPORAL_CODEC_PASS_ACCESS_TOKEN "false" }}
-forwardHeaders: # comma separated list of headers to pass from HTTP API requests to Temporal gRPC backend
-{{ if .Env.TEMPORAL_FORWARD_HEADERS }}
-{{ range $seed := (split .Env.TEMPORAL_FORWARD_HEADERS ",") }}
-  - {{ . }}
-{{ end }}
-{{ end }}
+forwardHeaders: {{ if .Env.TEMPORAL_FORWARD_HEADERS }} {{ range $seed := (split .Env.TEMPORAL_FORWARD_HEADERS ",") }}
+  - {{ . }} {{ end }} {{ end }}