diff --git a/pillar/api/blender_cloud/subscription.py b/pillar/api/blender_cloud/subscription.py
index 319ae8b0..8591c2ad 100644
--- a/pillar/api/blender_cloud/subscription.py
+++ b/pillar/api/blender_cloud/subscription.py
@@ -102,12 +102,12 @@ def update_subscription():
 
     if grant_subscriber != is_subscriber:
         action = 'grant' if grant_subscriber else 'revoke'
-        log.info('%sing subscriber role to user %s', action, user_id)
+        log.info('%sing subscriber role to user %s (Blender ID email %s)', action, user_id, email)
         service.do_badger(action, 'subscriber', user_id=user_id)
 
     if grant_demo != is_demo:
         action = 'grant' if grant_demo else 'revoke'
-        log.info('%sing demo role to user %s', action, user_id)
+        log.info('%sing demo role to user %s (Blender ID email %s)', action, user_id, email)
         service.do_badger(action, 'demo', user_id=user_id)
 
     return '', 204
diff --git a/pillar/auth/__init__.py b/pillar/auth/__init__.py
index 9bff9cdf..b314120a 100644
--- a/pillar/auth/__init__.py
+++ b/pillar/auth/__init__.py
@@ -87,7 +87,17 @@ def login_user(oauth_token):
 
 def get_blender_id_oauth_token():
     """Returns a tuple (token, ''), for use with flask_oauthlib."""
-    return session.get('blender_id_oauth_token')
+
+    from flask import request
+
+    token = session.get('blender_id_oauth_token')
+    if token:
+        return token
+
+    if request.authorization:
+        return request.authorization.username, ''
+
+    return None
 
 
 def config_oauth_login(app):
diff --git a/pillar/web/users/routes.py b/pillar/web/users/routes.py
index fa0b45ce..23a3cf19 100644
--- a/pillar/web/users/routes.py
+++ b/pillar/web/users/routes.py
@@ -44,11 +44,11 @@ def login():
 
 @blueprint.route('/oauth/blender-id/authorized')
 def blender_id_authorized():
-    from pillar.api.blender_cloud import subscription
-
     check_oauth_provider(current_app.oauth_blender_id)
     try:
         oauth_resp = current_app.oauth_blender_id.authorized_response()
+        if isinstance(oauth_resp, OAuthException):
+            raise oauth_resp
     except OAuthException as ex:
         log.warning('Error parsing BlenderID OAuth response. data=%s; message=%s',
                     ex.data, ex.message)
@@ -60,9 +60,6 @@ def blender_id_authorized():
         log.warning('Access denied to user because oauth_resp=None: %s', msg)
         return wz_exceptions.Forbidden(msg)
 
-    if isinstance(oauth_resp, OAuthException):
-        return 'Access denied: %s' % oauth_resp.message
-
     session['blender_id_oauth_token'] = (oauth_resp['access_token'], '')
 
     pillar.auth.login_user(oauth_resp['access_token'])
@@ -70,7 +67,8 @@ def blender_id_authorized():
     if current_user is not None:
         # Check with the store for user roles. If the user has an active
         # subscription, we apply the 'subscriber' role
-        subscription.update_subscription()
+        api = system_util.pillar_api(token=oauth_resp['access_token'])
+        api.get('bcloud/update-subscription')
 
     next_after_login = session.get('next_after_login')
     if next_after_login: