diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py
index c70d35ad..492a3a29 100644
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -14,6 +14,7 @@ from tornado import web
 from tornado.iostream import StreamClosedError
 
 from .. import orm
+from .. import scopes
 from ..roles import assign_default_roles
 from ..scopes import needs_scope
 from ..user import User
@@ -35,8 +36,13 @@ class SelfAPIHandler(APIHandler):
         if user is None:
             raise web.HTTPError(403)
         if isinstance(user, orm.Service):
+            # ensure we have the minimal 'identify' scopes for the token owner
+            self.raw_scopes.update(scopes.identify_scopes(user))
+            self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
             model = self.service_model(user)
         else:
+            self.raw_scopes.update(scopes.identify_scopes(user.orm_user))
+            self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
             model = self.user_model(user)
         self.write(json.dumps(model))
 
diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py
index adf0c363..3c49577c 100644
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -419,17 +419,10 @@ class BaseHandler(RequestHandler):
     def _resolve_scopes(self):
         self.raw_scopes = set()
         app_log.debug("Loading and parsing scopes")
-        if not self.current_user:
-            # check for oauth tokens as long as #3380 not merged
-            user_from_oauth = self.get_current_user_oauth_token()
-            if user_from_oauth is not None:
-                self.raw_scopes = {f'read:users!user={user_from_oauth.name}'}
-            else:
-                app_log.debug("No user found, no scopes loaded")
-        else:
-            api_token = self.get_token()
-            if api_token:
-                self.raw_scopes = scopes.get_scopes_for(api_token)
+        if self.current_user:
+            orm_token = self.get_token()
+            if orm_token:
+                self.raw_scopes = scopes.get_scopes_for(orm_token)
             else:
                 self.raw_scopes = scopes.get_scopes_for(self.current_user)
         self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
diff --git a/jupyterhub/oauth/provider.py b/jupyterhub/oauth/provider.py
index ee96dfbe..bb395752 100644
--- a/jupyterhub/oauth/provider.py
+++ b/jupyterhub/oauth/provider.py
@@ -342,13 +342,15 @@ class JupyterHubRequestValidator(RequestValidator):
             .filter_by(identifier=request.client.client_id)
             .first()
         )
+        # FIXME: pick a role
+        # this will be empty for now
+        roles = list(self.db.query(orm.Role).filter_by(name='identify'))
         orm_access_token = orm.APIToken.new(
             client_id=client.identifier,
             grant_type=orm.GrantType.authorization_code,
             expires_at=orm.APIToken.now() + timedelta(seconds=token['expires_in']),
             refresh_token=token['refresh_token'],
-            # TODO: save scopes,
-            # scopes=scopes,
+            roles=roles,
             token=token['access_token'],
             session_id=request.session_id,
             user=request.user,