diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index f743d33d5..2845dfbe5 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -17,11 +17,13 @@ exports = module.exports = {
     SCOPE_ROLE_SDK: 'roleSdk',
 
     validateScope: validateScope,
-    validateRequestedScopes: validateRequestedScopes
+    validateRequestedScopes: validateRequestedScopes,
+    normalizeScope: normalizeScope
 };
 
 var assert = require('assert'),
-    debug = require('debug')('box:accesscontrol');
+    debug = require('debug')('box:accesscontrol'),
+    _ = require('underscore');
 
 function validateScope(scope) {
     assert.strictEqual(typeof scope, 'string');
@@ -73,3 +75,12 @@ function validateRequestedScopes(authInfo, requestedScopes) {
 
     return null;
 }
+
+function normalizeScope(maxScope, allowedScope) {
+    assert.strictEqual(typeof maxScope, 'string');
+    assert.strictEqual(typeof allowedScope, 'string');
+
+    if (maxScope === '*') return allowedScope;
+
+    return _.intersection(maxScope.split(','), allowedScope.split(',')).join(',');
+}
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 67a1e541a..08989172e 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -19,7 +19,8 @@ exports = module.exports = {
     csrf: csrf
 };
 
-var apps = require('../apps.js'),
+var accesscontrol = require('../accesscontrol.js'),
+    apps = require('../apps.js'),
     assert = require('assert'),
     authcodedb = require('../authcodedb.js'),
     clients = require('../clients'),
@@ -103,8 +104,9 @@ function initialize() {
 
         var token = tokendb.generateToken();
         var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
+        var scope = accesscontrol.normalizeScope(client.scope, user.scope);
 
-        tokendb.add(token, user.id, client.id, expires, client.scope, function (error) {
+        tokendb.add(token, user.id, client.id, expires, scope, function (error) {
             if (error) return callback(error);
 
             debug('grant token: new access token for client %s token %s', client.id, token);
diff --git a/src/users.js b/src/users.js
index 0bf62cbb5..61c31ac81 100644
--- a/src/users.js
+++ b/src/users.js
@@ -320,6 +320,7 @@ function getUser(userId, callback) {
 
             result.groupIds = groupIds;
             result.admin = groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1;
+            result.scope = result.admin ? '*' : 'profile';
 
             return callback(null, result);
         });