diff --git a/lib/oauth3.js b/lib/oauth3.js
index f500034..c74b2e8 100644
--- a/lib/oauth3.js
+++ b/lib/oauth3.js
@@ -9,8 +9,8 @@ function generateRescope(req, Models, decoded, fullPpid, ppid) {
     console.log('[rescope] Attempting ', fullPpid);
     return Models.IssuerOauth3OrgGrants.find({ azpSub: fullPpid }).then(function (results) {
       if (results[0]) {
-        console.log('[rescope] lukcy duck: got it on the 1st try');
-        return PromiseA.resolve(results);
+        console.log('[rescope] lucky duck: got it on the 1st try');
+        return results;
       }
 
       // XXX BUG XXX
@@ -20,24 +20,35 @@ function generateRescope(req, Models, decoded, fullPpid, ppid) {
       var result = results[0];
 
       if (!result || !result.sub || !decoded.iss) {
-        // XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
-        //req.oauth3.accountIdx = fullPpid;
-        console.log(decoded);
-        console.log(decoded.iss);
-        console.log(fullPpid);
-        console.log(ppid);
-        throw new Error("internal / external ID swapping not yet implemented. TODO: "
-          + "No profile found with that credential. Would you like to create a new profile or link to an existing profile?");
+        console.log('[rescope] Not a 2nd party token...');
+        return Models.IssuerOauth3OrgProfiles.get(fullPpid);
       }
 
+      return result;
+    }).then(function (result) {
+      if (!result || !result.sub || !decoded.iss) {
+        // XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
+        //req.oauth3.accountIdx = fullPpid;
+        console.log('[DEBUG] decoded:');
+        console.log(decoded);
+        console.log('[DEBUG] decoded.iss:', decoded.iss);
+        console.log('[DEBUG] fullPpid:', fullPpid);
+        console.log('[DEBUG] ppid:', ppid);
+
+        throw new Error(
+          "TODO: No profile found with that credential. Would you like to create a new profile or link to an existing profile?"
+        );
+      }
+
+
       // XXX BUG XXX need to pass own url in to use as issuer for own tokens
-      req.oauth3.accountIdx = result.sub + '@' + decoded.iss;
+      req.oauth3.accountIdx = result.sub + '@' + (result.iss || decoded.iss);
 
       console.log('[rescope] result:');
-      console.log(results);
-      console.log(req.oauth3.accountIdx);
+      console.log(result);
+      console.log('[rescope] req.oauth3.accountIdx:', req.oauth3.accountIdx);
 
-      return PromiseA.resolve(req.oauth3.accountIdx);
+      return req.oauth3.accountIdx;
     });
   };
 }