diff --git a/src/oidcserver.js b/src/oidcserver.js
index 3f4c96d31..41e550a0f 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -533,20 +533,6 @@ async function getClaims(username, use, scope, clientId) {
     const [groupsError, allGroups] = await safe(groups.listWithMembers());
     if (groupsError) return { error: groupsError.message };
 
-    const [mailboxesError, mailboxes] = await safe(mail.listMailboxesByUserId(user.id));
-    if (mailboxesError) return { error: mailboxesError.message };
-
-    let mailPassword = null;
-    if (clientId) {
-        let mailPw = await mailpasswords.get(clientId, user.id);
-        if (!mailPw) {
-            const generatedPassword = crypto.randomBytes(48).toString('hex');
-            await mailpasswords.add(clientId, user.id, generatedPassword);
-            mailPw = await mailpasswords.get(clientId, user.id);
-        }
-        if (mailPw) mailPassword = mailPw.password;
-    }
-
     const displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
     const { firstName, lastName, middleName } = users.parseDisplayName(displayName);
 
@@ -565,12 +551,28 @@ async function getClaims(username, use, scope, clientId) {
         picture: `https://${dashboardFqdn}/api/v1/profile/avatar/${user.id}`, // we always store as png
         preferred_username: user.username,
         groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; }),
-        mailclient: {
-            accessToken: mailPassword,
-            mailboxes,
-        },
+        mailclient: {},
     };
 
+    if (clientId && scope.includes('mailclient')) {
+        const [mailboxesError, mailboxes] = await safe(mail.listMailboxesByUserId(user.id));
+        if (mailboxesError) return { error: mailboxesError.message };
+
+        let mailPw = await mailpasswords.get(clientId, user.id);
+        if (!mailPw) {
+            const generatedPassword = crypto.randomBytes(48).toString('hex');
+            await mailpasswords.add(clientId, user.id, generatedPassword);
+            mailPw = await mailpasswords.get(clientId, user.id);
+        }
+
+        if (!mailPw) return { error: 'could not generate mailclient claim' };
+
+        claims.mailclient = {
+            accessToken: mailPw.password,
+            mailboxes,
+        };
+    }
+
     return claims;
 }