diff --git a/jupyter/base/values/values.yaml b/jupyter/base/values/values.yaml
index d6a82a5..a3af098 100644
--- a/jupyter/base/values/values.yaml
+++ b/jupyter/base/values/values.yaml
@@ -9,6 +9,50 @@ hub:
   db:
     pvc:
       storageClassName: csi-sc-cinderplugin
+  extraFiles:
+    refresh-token.py: |
+      """A token refresh service authenticating with the Hub.
+
+      This service serves `/services/refresh-token/`,
+      authenticated with the Hub,
+      showing the user their own info.
+      """
+      import json
+      import os
+      from urllib.parse import urlparse
+
+      from tornado.httpserver import HTTPServer
+      from tornado.ioloop import IOLoop
+      from tornado.web import Application, RequestHandler, authenticated
+
+      from jupyterhub.services.auth import HubAuthenticated
+
+
+      class RefreshHandler(HubAuthenticated, RequestHandler):
+          @authenticated
+          def get(self):
+              user_model = self.get_current_user()
+              self.set_header('content-type', 'application/json')
+              self.write(json.dumps(user_model, indent=1, sort_keys=True))
+
+
+      def main():
+          app = Application(
+              [
+                  (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', RefreshHandler),
+                  (r'.*', RefreshHandler),
+              ]
+          )
+
+          http_server = HTTPServer(app)
+          url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
+
+          http_server.listen(url.port, url.hostname)
+
+          IOLoop.current().start()
+      if __name__ == '__main__':
+          main()
+
   extraConfig:
     oauthCode: |
       import time
@@ -111,21 +155,21 @@ hub:
       c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
 
     serviceCode: |
-      from jupyter_server.base.handlers import JupyterHandler
-      import tornado
-
-
-      class MyExtensionHandler(JupyterHandler):
-          @tornado.web.authenticated
-          def get(self):
-            print("Hello World")
-
-      def _load_jupyter_server_extension(serverapp: jupyter_server.serverapp.ServerApp):
-        """
-        This function is called when the extension is loaded.
-        """
-        handlers = [("/nextcloud/token", NextcloudExtensionHandler)]
-        serverapp.web_app.add_handlers(".*$", handlers)
+      import sys
+      c.JupyterHub.load_roles = [
+          {
+              "name": "refresh-token",
+              "scopes": [
+                "admin:auth_state"
+              ]
+          }
+      ]
+      c.JupyterHub.services = [
+          {
+              'name': 'refresh-token',
+              'command': [sys.executable, './refresh_token.py']
+          }
+      ]
 
   extraEnv:
     NEXTCLOUD_DEBUG_OAUTH: "yes"