One final note here, which will save someone a ton of time: when handle_roles is True, the roles array passed to the base handler’s auth_to_user method will overwrite all other default roles, scopes, etc
In the pseudocode above, I was missing “self” in the array of scopes, which then disallowed someone to accept the oauth prompt to be identified when joining a “collaboration” user’s server.