diff --git a/jupyterhub/oauth/provider.py b/jupyterhub/oauth/provider.py
index 052616a7..80e8140e 100644
--- a/jupyterhub/oauth/provider.py
+++ b/jupyterhub/oauth/provider.py
@@ -587,7 +587,7 @@ class JupyterHubOAuthServer(WebApplicationServer):
         super().__init__(validator, *args, **kwargs)
 
     def add_client(
-        self, client_id, client_secret, redirect_uri, allowed_roles, description=''
+        self, client_id, client_secret, redirect_uri, allowed_roles=None, description=''
     ):
         """Add a client
 
@@ -609,6 +609,8 @@ class JupyterHubOAuthServer(WebApplicationServer):
             app_log.info(f'Creating oauth client {client_id}')
         else:
             app_log.info(f'Updating oauth client {client_id}')
+        if allowed_roles == None:
+            allowed_roles = []
         orm_client.secret = hash_token(client_secret) if client_secret else ""
         orm_client.redirect_uri = redirect_uri
         orm_client.description = description
diff --git a/jupyterhub/user.py b/jupyterhub/user.py
index ce1dc300..a95c1a8c 100644
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -568,7 +568,7 @@ class User:
                 client_id,
                 api_token,
                 url_path_join(self.url, server_name, 'oauth_callback'),
-                description="Server at %s"
+                description="Server at %s"  # todo: own server: 'users:servers!user={username} as allowed role?
                 % (url_path_join(self.base_url, server_name) + '/'),
             )
         db.commit()