diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py
index c1d03fd1..b1a40865 100644
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -447,6 +447,7 @@ class BaseHandler(RequestHandler):
         else:  # deprecated oauth tokens
             user_from_oauth = self.get_current_user_oauth_token()
             self.raw_scopes = scopes.get_scopes_for(user_from_oauth)
+        app_log.debug("Found scopes [%s]", ",".join(self.raw_scopes))
         self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
 
     @property
diff --git a/jupyterhub/tests/test_auth_expiry.py b/jupyterhub/tests/test_auth_expiry.py
index 48f85eb4..59598219 100644
--- a/jupyterhub/tests/test_auth_expiry.py
+++ b/jupyterhub/tests/test_auth_expiry.py
@@ -101,6 +101,7 @@ async def test_auth_expired_page(app, user, disable_refresh):
     assert user._auth_refreshed == before
 
 
+# Fixme: Why does this text fail?
 async def test_auth_expired_api(app, user, disable_refresh):
     cookies = await app.login_user(user.name)
     assert user._auth_refreshed
diff --git a/jupyterhub/tests/test_roles.py b/jupyterhub/tests/test_roles.py
index bdc8b98a..4f2c7475 100644
--- a/jupyterhub/tests/test_roles.py
+++ b/jupyterhub/tests/test_roles.py
@@ -17,11 +17,13 @@ from .utils import api_request
 def test_orm_roles(db):
     """Test orm roles setup"""
     user_role = orm.Role.find(db, name='user')
+    token_role = orm.Role.find(db, name='token')
     if not user_role:
-        user_role = orm.Role(name='user', scopes=['all', 'read:all'])
+        user_role = orm.Role(name='user', scopes=['self'])
         db.add(user_role)
-        db.commit()
-
+    if not token_role:
+        token_role = orm.Role(name='token', scopes=['all'])
+        db.add(token_role)
     service_role = orm.Role(name='service', scopes=['users:servers'])
     db.add(service_role)
     db.commit()
@@ -53,8 +55,8 @@ def test_orm_roles(db):
     # assigns it the default 'user' role
     token = user.new_api_token()
     user_token = orm.APIToken.find(db, token=token)
-    assert user_token in user_role.tokens
-    assert user_role in user_token.roles
+    assert user_token in token_role.tokens
+    assert token_role in user_token.roles
 
     # check creating token with a specific role
     token = service.new_api_token(roles=['service'])
@@ -66,7 +68,7 @@ def test_orm_roles(db):
     db.delete(user)
     db.commit()
     assert user_role.users == []
-    assert user_token not in user_role.tokens
+    assert user_token not in token_role.tokens
     # check deleting the service token removes it from 'service' role
     db.delete(service_token)
     db.commit()
@@ -356,11 +358,11 @@ async def test_load_roles_tokens(tmpdir, request):
     assert culler_role in token.roles
 
     # test if all other tokens have default 'user' role
-    user_role = orm.Role.find(db, 'user')
+    token_role = orm.Role.find(db, 'token')
     sec_token = orm.APIToken.find(db, 'secret-token')
-    assert user_role in sec_token.roles
+    assert token_role in sec_token.roles
     s_sec_token = orm.APIToken.find(db, 'super-secret-token')
-    assert user_role in s_sec_token.roles
+    assert token_role in s_sec_token.roles
 
 
 @mark.role
@@ -375,7 +377,7 @@ async def test_load_roles_tokens(tmpdir, request):
 )
 async def test_get_new_token_via_api(app, headers, role_list, status):
     user = add_user(app.db, app, name='user')
-    roles.add_role(app.db, {'name': 'reader', 'scopes': ['read:all']})
+    roles.add_role(app.db, {'name': 'reader', 'scopes': ['all']})
     roles.add_role(app.db, {'name': 'user_creator', 'scopes': ['admin:users']})
     if role_list:
         body = json.dumps({'roles': role_list})
@@ -393,7 +395,7 @@ async def test_get_new_token_via_api(app, headers, role_list, status):
     assert 'token' in reply
     assert reply['user'] == 'user'
     if not role_list:
-        assert reply['roles'] == ['user']
+        assert reply['roles'] == ['token']
     else:
         assert reply['roles'] == ['reader']
     token_id = reply['id']
diff --git a/jupyterhub/tests/test_services.py b/jupyterhub/tests/test_services.py
index 379f92aa..55ba907e 100644
--- a/jupyterhub/tests/test_services.py
+++ b/jupyterhub/tests/test_services.py
@@ -9,6 +9,7 @@ from subprocess import Popen
 from async_generator import asynccontextmanager
 from tornado.ioloop import IOLoop
 
+from ..roles import update_roles
 from ..utils import maybe_future
 from ..utils import random_port
 from ..utils import url_path_join
@@ -93,6 +94,8 @@ async def test_external_service(app):
         await app.proxy.add_all_services(app._service_map)
 
         service = app._service_map[name]
+        api_token = service.orm.api_tokens[0]
+        update_roles(app.db, api_token, 'tokens', roles=['token'])
         url = public_url(app, service) + '/api/users'
         r = await async_requests.get(url, allow_redirects=False)
         r.raise_for_status()
diff --git a/jupyterhub/tests/test_singleuser.py b/jupyterhub/tests/test_singleuser.py
index 49b366c9..3d461111 100644
--- a/jupyterhub/tests/test_singleuser.py
+++ b/jupyterhub/tests/test_singleuser.py
@@ -50,11 +50,9 @@ async def test_singleuser_auth(app):
     assert urlparse(r.url).path.endswith('/oauth2/authorize')
     # submit the oauth form to complete authorization
     r = await s.post(r.url, data={'scopes': ['identify']}, headers={'Referer': r.url})
-    assert (
-        urlparse(r.url)
-        .path.rstrip('/')
-        .endswith(url_path_join('/user/nandy', user.spawner.default_url or "/tree"))
-    )
+    final_url = urlparse(r.url).path.rstrip('/')
+    final_path = url_path_join('/user/nandy', user.spawner.default_url or "/tree")
+    assert final_url.endswith(final_path)
     # user isn't authorized, should raise 403
     assert r.status_code == 403
     assert 'burgess' in r.text