diff --git a/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto b/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto
index e3496ad8..e5f99051 100644
--- a/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto
+++ b/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto
@@ -41,7 +41,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message OAuth2Config {
   // Endpoint on the authorization server to retrieve the access token from.
   config.core.v3.HttpUri token_endpoint = 1;
@@ -76,6 +76,10 @@ message OAuth2Config {
   // defaults to "user" scope.
   // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
   repeated string auth_scopes = 9;
+
+  // Optional resource parameter for authorization request
+  // RFC: https://tools.ietf.org/html/rfc8707
+  repeated string resources = 10;
 }
 
 // Filter config.
diff --git a/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto b/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto
index 9a9b76db..75002c99 100644
--- a/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto
+++ b/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto
@@ -45,7 +45,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message OAuth2Config {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Config";
@@ -83,6 +83,10 @@ message OAuth2Config {
   // defaults to "user" scope.
   // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3
   repeated string auth_scopes = 9;
+
+  // Optional resource parameter for authorization request
+  // RFC: https://tools.ietf.org/html/rfc8707
+  repeated string resources = 10;
 }
 
 // Filter config.