diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/ResourceProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/ResourceProvider.php
index 6872f7da..7669f96a 100644
--- a/src/Symfony/Component/Security/Core/Authentication/Provider/ResourceProvider.php
+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/ResourceProvider.php
@@ -16,6 +16,8 @@
 use AuthBucket\OAuth2\Symfony\Component\Security\Core\Authentication\Token\AccessToken;
 use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
 
 /**
  * ResourceProvider implements OAuth2 resource endpoint authentication.
@@ -29,19 +31,22 @@ class ResourceProvider implements AuthenticationProviderInterface
     protected $resourceType;
     protected $scopeRequired;
     protected $options;
+    protected $userProvider;
 
     public function __construct(
         $providerKey,
         ResourceTypeHandlerFactoryInterface $resourceTypeHandlerFactory,
         $resourceType = 'model',
         array $scopeRequired = [],
-        array $options = []
+        array $options = [],
+        UserProviderInterface $userProvider = null
     ) {
         $this->providerKey = $providerKey;
         $this->resourceTypeHandlerFactory = $resourceTypeHandlerFactory;
         $this->resourceType = $resourceType;
         $this->scopeRequired = $scopeRequired;
         $this->options = $options;
+        $this->userProvider = $userProvider;
     }
 
     public function authenticate(TokenInterface $token)
@@ -68,6 +73,20 @@ public function authenticate(TokenInterface $token)
             }
         }
 
+        $user = null;
+        $roles = $token->getRoles();
+        if ($this->userProvider) {
+            try {
+                $user = $this->userProvider->loadUserByUsername($accessToken->getUsername());
+                $roles = array_merge($roles, $user->getRoles());
+            } catch (UsernameNotFoundException $e) {
+                // No user with this username, but there is a valid access token, so thats all good
+            }
+        }
+        $roles = array_merge($roles, array_map(function($scope) {
+            return 'ROLE_SCOPE_' . strtoupper($scope);
+        }, $scope));
+
         $tokenAuthenticated = new AccessToken(
             $this->providerKey,
             $accessToken->getAccessToken(),
@@ -76,9 +95,9 @@ public function authenticate(TokenInterface $token)
             $accessToken->getUsername(),
             $accessToken->getExpires(),
             $accessToken->getScope(),
-            $token->getRoles()
+            $roles,
+            $user ? $user : $accessToken->getUsername()
         );
-        $tokenAuthenticated->setUser($accessToken->getUsername());
 
         return $tokenAuthenticated;
     }
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AccessToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AccessToken.php
index f7da8f75..d425a3f1 100644
--- a/src/Symfony/Component/Security/Core/Authentication/Token/AccessToken.php
+++ b/src/Symfony/Component/Security/Core/Authentication/Token/AccessToken.php
@@ -36,7 +36,8 @@ public function __construct(
         $username = '',
         $expires = '',
         array $scope = [],
-        array $roles = []
+        array $roles = [],
+        $user = null
     ) {
         parent::__construct($roles);
 
@@ -48,6 +49,9 @@ public function __construct(
         $this->username = $username;
         $this->expires = $expires;
         $this->scope = $scope;
+        if (null !== $user) {
+            $this->setUser($user);
+        }
 
         parent::setAuthenticated(count($roles) > 0);
     }