The Oauth2 flow returns a user id that is a UUID, not an integer. It seems that this is a global identifier, while the instance-level integer id is used in GET /users/{id}. This makes it difficult to verify that whoever is granting us access has the required roles to enable our integration--we have to fetch all users with our required role and verify the user's roles by matching their email. But the request to check that the user has the correct roles can fail if the user doesn't have the correct roles, a bit of a chicken and egg issue. That means we need to verbally confirm with clients to make sure their roles are correct if there is a problem with the data sync, instead of being able to programmatically alert them that they don't have the required permissions. This could be fixed if (a) the user roles for the granted context were supplied in the Oauth token response or (b) we could fetch roles for a user using the returned UUID, either through the oauth2 server or through the Sky API.