You can integrate Tanzu SSO with an external identity. When you test accessing your application and you noticed that the scopes returned is not what is expected you can use UAA endpoints to check on query scopes on specific users or client.
You can use the UAA endpoints to get scope details for troubleshooting SSO issues:
uaac target uaa.UAA-DOMAIN --skip-ssl-validation
uaac token client get admin -s ADMIN-CLIENT-SECRET
2. Determine your subdomain
uaac curl -k "/identity-zones"
3. Use the following UAA endpoint to query User or Client Scopes
Scope details for users
uaac curl -k "/Users" -H "X-Identity-Zone-Subdomain:<sub-domain>"
uaac curl -k "/Users/<user-id>" -H "X-Identity-Zone-Subdomain:<sub-domain>"
uaac curl -H "X-Identity-Zone-Subdomain:<sub-domain>" "/Users?filter=username+eq+%22<username>%22"
Getting scope details for clients
uaac curl -k "/oauth/clients" -H "X-Identity-Zone-Subdomain:<sub-domain>"
uaac curl -k "/oauth/clients" -H "X-Identity-Zone-Subdomain:<sub-domain>"