diff --git a/contrib/token-server/main.go b/contrib/token-server/main.go
index 303ed9ed..e47e11c2 100644
--- a/contrib/token-server/main.go
+++ b/contrib/token-server/main.go
@@ -86,7 +86,7 @@ func main() {
 	if cert == "" {
 		err = http.ListenAndServe(addr, router)
 	} else if certKey == "" {
-		logrus.Fatalf("Must provide certficate and key")
+		logrus.Fatalf("Must provide certficate (-tlscert) and key (-tlskey)")
 	} else {
 		err = http.ListenAndServeTLS(addr, cert, certKey, router)
 	}
@@ -134,7 +134,7 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
 	service := params.Get("service")
 	scopeSpecifiers := params["scope"]
 
-	requestedAccessList := ResolveScopeSpecifiers(scopeSpecifiers)
+	requestedAccessList := ResolveScopeSpecifiers(ctx, scopeSpecifiers)
 
 	authorizedCtx, err := ts.accessController.Authorized(ctx, requestedAccessList...)
 	if err != nil {
@@ -150,14 +150,13 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
 		challenge.SetHeaders(w)
 		handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail(challenge.Error()), w)
 
-		context.GetResponseLogger(ctx).Info("authentication challenged")
+		context.GetResponseLogger(ctx).Info("get token authentication challenge")
 
 		return
 	}
 	ctx = authorizedCtx
 
-	// TODO(dmcgowan): handle case where this could panic?
-	username := ctx.Value("auth.user.name").(string)
+	username := context.GetStringValue(ctx, "auth.user.name")
 
 	ctx = context.WithValue(ctx, "acctSubject", username)
 	ctx = context.WithLogger(ctx, context.GetLogger(ctx, "acctSubject"))
@@ -198,5 +197,5 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(map[string]string{"token": token})
 
-	context.GetResponseLogger(ctx).Info("getToken complete")
+	context.GetResponseLogger(ctx).Info("get token complete")
 }
diff --git a/contrib/token-server/token.go b/contrib/token-server/token.go
index 6661ffce..15ace622 100644
--- a/contrib/token-server/token.go
+++ b/contrib/token-server/token.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/registry/auth"
 	"github.com/docker/distribution/registry/auth/token"
 	"github.com/docker/libtrust"
@@ -17,7 +18,7 @@ import (
 
 // ResolveScopeSpecifiers converts a list of scope specifiers from a token
 // request's `scope` query parameters into a list of standard access objects.
-func ResolveScopeSpecifiers(scopeSpecs []string) []auth.Access {
+func ResolveScopeSpecifiers(ctx context.Context, scopeSpecs []string) []auth.Access {
 	requestedAccessSet := make(map[auth.Access]struct{}, 2*len(scopeSpecs))
 
 	for _, scopeSpecifier := range scopeSpecs {
@@ -25,7 +26,7 @@ func ResolveScopeSpecifiers(scopeSpecs []string) []auth.Access {
 		parts := strings.SplitN(scopeSpecifier, ":", 3)
 
 		if len(parts) != 3 {
-			// Ignore malformed scope specifiers.
+			context.GetLogger(ctx).Infof("ignoring unsupported scope format %s", scopeSpecifier)
 			continue
 		}