This is not a scope issue, but rather a proxy header issue causing some false-positive CORS detection (we’ve changed how all this works to avoid these problems in the next Hub release). The error is message is misleading because you have no scopes because auth was rejected due to the CORS issue, and granted no scopes to the request, not because your user has no scopes.
The Hub thinks the requests are coming to http://dev.com/myenv/hub/admin from http_s_://dev.com/myenv/hub/admin, which is not allowed. Ultimately, we need to make sure your proxy sets the appropriate proxy headers (Likely Forwarded) so that it gets the true URL that the browser is requesting. JupyterHub’s mechanism for getting the protocol is here, but the first priority is the Forwarded header, so if that is set with the right value by your frontmost layer, it should get the right answer.
How is JupyterHub deployed, and what is between the web and JupyterHub?
EDIT: (lots of) other folks have had similar issues, e.g. here