diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index bd611b3bf..50931bbf8 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -68,15 +68,15 @@ function validateRequestedScopes(authInfo, requestedScopes) {
     return null;
 }
 
-function normalizeScope(maxScope, allowedScope) {
-    assert.strictEqual(typeof maxScope, 'string');
+function normalizeScope(allowedScope, wantedScope) {
     assert.strictEqual(typeof allowedScope, 'string');
+    assert.strictEqual(typeof wantedScope, 'string');
 
-    const maxScopes = maxScope.split(',');
     const allowedScopes = allowedScope.split(',');
+    const wantedScopes = wantedScope.split(',');
 
-    if (maxScopes.indexOf(exports.SCOPE_ANY) !== -1) return allowedScope;
-    if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return maxScope;
+    if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return wantedScope;
+    if (wantedScopes.indexOf(exports.SCOPE_ANY) !== -1) return allowedScope;
 
-    return _.intersection(maxScopes, allowedScopes).join(',');
+    return _.intersection(allowedScopes, wantedScopes).join(',');
 }
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 08989172e..544aef3e7 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -104,7 +104,7 @@ function initialize() {
 
         var token = tokendb.generateToken();
         var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-        var scope = accesscontrol.normalizeScope(client.scope, user.scope);
+        var scope = accesscontrol.normalizeScope(user.scope, client.scope);
 
         tokendb.add(token, user.id, client.id, expires, scope, function (error) {
             if (error) return callback(error);
diff --git a/src/setup.js b/src/setup.js
index de7ae6d3e..2af3c5485 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -253,7 +253,7 @@ function activate(username, password, email, displayName, ip, auditSource, callb
             var token = tokendb.generateToken();
             var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
 
-            tokendb.add(token, userObject.id, result.id, expires, accesscontrol.SCOPE_ANY, function (error) {
+            tokendb.add(token, userObject.id, result.id, expires, result.scope, function (error) {
                 if (error) return callback(new SetupError(SetupError.INTERNAL_ERROR, error));
 
                 eventlog.add(eventlog.ACTION_ACTIVATE, auditSource, { });