diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index 68efef9f6..4f046ce3b 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -20,7 +20,7 @@ exports = module.exports = {
 
     validateScope: validateScope,
     validateRequestedScopes: validateRequestedScopes,
-    normalizeScope: normalizeScope,
+    intersectScope: intersectScope,
     canonicalScope: canonicalScope
 };
 
@@ -122,7 +122,7 @@ function canonicalScope(scope) {
     return scopes.join(',');
 }
 
-function normalizeScope(allowedScope, wantedScope) {
+function intersectScope(allowedScope, wantedScope) {
     assert.strictEqual(typeof allowedScope, 'string');
     assert.strictEqual(typeof wantedScope, 'string');
 
@@ -149,7 +149,7 @@ function accessTokenAuth(accessToken, callback) {
 
             // scopes here can define what capabilities that token carries
             // passport put the 'info' object into req.authInfo, where we can further validate the scopes
-            var scope = normalizeScope(user.scope, token.scope);
+            var scope = intersectScope(user.scope, token.scope);
             var info = { scope: scope, clientId: token.clientId };
 
             callback(null, user, info);
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 25ab4c6e8..827066694 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -104,7 +104,7 @@ function initialize() {
 
         var token = tokendb.generateToken();
         var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-        var scope = accesscontrol.normalizeScope(user.scope, client.scope);
+        var scope = accesscontrol.intersectScope(user.scope, client.scope);
 
         tokendb.add(token, user.id, client.id, expires, scope, function (error) {
             if (error) return callback(error);
diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js
index 897324453..c917e67ee 100644
--- a/src/test/accesscontrol-test.js
+++ b/src/test/accesscontrol-test.js
@@ -19,4 +19,31 @@ describe('access control', function () {
             expect(accesscontrol.canonicalScope('foo,bar,*')).to.be('foo,bar,apps,clients,cloudron,domains,mail,profile,settings,users');
         });
     });
+
+    describe('intersectScope', function () { // args: allowed, wanted
+        it('both are same', function () {
+            expect(accesscontrol.intersectScope('apps,clients', 'clients,apps')).to.be('apps,clients');
+        });
+
+        it('some are different', function () {
+            expect(accesscontrol.intersectScope('apps', 'clients,apps')).to.be('apps');
+            expect(accesscontrol.intersectScope('clients,domains,mail', 'mail')).to.be('mail');
+        });
+
+        it('* in allowed', function () {
+            expect(accesscontrol.intersectScope('*', 'clients,apps')).to.be('clients,apps');
+            expect(accesscontrol.intersectScope('foo,*,bar', 'mail')).to.be('mail');
+        });
+
+        it('* in wanted', function () {
+            expect(accesscontrol.intersectScope('clients,apps', '*')).to.be('clients,apps');
+            expect(accesscontrol.intersectScope('mail', 'bar,*,foo')).to.be('mail');
+            expect(accesscontrol.intersectScope('*', '*')).to.be('apps,clients,cloudron,domains,mail,profile,settings,users');
+        });
+
+        it('everything is different', function () {
+            expect(accesscontrol.intersectScope('cloudron,domains', 'clients,apps')).to.be('');
+        });
+
+    });
 });