diff --git a/jupyterhub/services/auth.py b/jupyterhub/services/auth.py
index 6c18bde3..757079c4 100644
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -174,6 +174,7 @@ class HubAuth(Configurable):
             raise HTTPError(500, msg)
 
         if r.status_code == 404:
+            app_log.warning("No Hub user identified for request")
             data = None
         elif r.status_code == 403:
             app_log.error("I don't have permission to verify cookies, my auth token may have expired: [%i] %s", r.status_code, r.reason)
@@ -186,6 +187,7 @@ class HubAuth(Configurable):
             raise HTTPError(500, "Failed to check authorization")
         else:
             data = r.json()
+            app_log.debug("Received request from Hub user %s", data)
         self.cookie_cache[encrypted_cookie] = data
         return data
 
@@ -274,14 +276,18 @@ class HubAuthenticated(object):
         Returns:
             user_model (dict): The user model if the user should be allowed, None otherwise.
         """
+        name = user_model['name']
         if self.hub_users is None and self.hub_groups is None:
             # no whitelist specified, allow any authenticated Hub user
+            app_log.debug("Allowing Hub user %s (all Hub users allowed)", name)
             return user_model
-        name = user_model['name']
         if self.hub_users and name in self.hub_users:
             # user in whitelist
+            app_log.debug("Allowing whitelisted Hub user %s", name)
             return user_model
         elif self.hub_groups and set(user_model['groups']).intersection(self.hub_groups):
+            allowed_groups = set(user_model['groups']).intersection(self.hub_groups)
+            app_log.debug("Allowing Hub user %s in group(s) %s", name, ','.join(sorted(allowed_groups)))
             # group in whitelist
             return user_model
         else: