I have enabled Canvas App on Connected App to embed external apllication in Salesforce. 
I have provided below configuration.

• OAuth Enabled
• Selected OAuth Scopes : Access the identity URL service (id, profile, email, address, phone),
  Perform requests at any time (refresh_token, offline_access)
• Permitted Users: Admin approved users are pre-authorized
• Refresh Token Policy:Immediately expire refresh token.

Receiving below error
 

I have a requirment to create a service which takes input as a user ( userid) and the service needs to return the list of Accounts the user has access to. The user can get access to account  to all possible ways that salesforce can provide (Sharing rules, Role Hierharchies, Record Ownership, Account Team etc...).

I looked around on AccountShare object, GroupMember, UserRecordAcess, Role  object. but could not really connect all the dots together to come up with logic to accomplish this.

USerRecordAccess has the details but you have to provide the USerid and Recordid in order to pull the records which does not fit my requirment.

Looking for any guidance.