Understanding User Authentication - App

So I’ve been spinning my wheels and must be missing something.

Been building a GitHub app that just is going to do analytics on visible pull requests. Since all employees have different access permission I thought this was the plan

 * Make GitHub App w/ PR permissions [done]
 * Additionally use OAUTH flow to capture WHO is using the app [done]
 * Use the GitHub App client/secret to obtain a user-specific token and use that [done]
 * Query graphql with the user-specific token [fail]

So when I use the v4 endpoint, I only get back public repos and none from the organization. I’m an owner of said organization and have enabled the App so don’t quite understand that.

If I generate my own personal access token and inject it, my v4 query works perfectly fine and dumps out 25 pull requests (private and public) included.

Obviously personal access tokens are for development and cannot be made programmatically, so what step am I missing here?

What is the intended authentication path to make graphql queries on behalf a user based on app in an organization?

graphql says (https://developer.github.com/v4/guides/forming-calls/#authenticating-with-graphql)
 > To communicate with the GraphQL server, you’ll need an OAuth token with the right scopes.

Github App says (https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/)

 >  Note:  You don’t need to provide scopes in your authorization request. Unlike traditional OAuth, the authorization token is limited to the permissions associated with your GitHub App and those of the user.

So GitHub App User token does not require scopes because it leverages the one from app, but the GitHub App user permissions doesn’t have any related to repos. I guess typing this out, maybe the intended goal is to authenticate as the app (integration) and gain access to ALL repos, then build your own permissions out within your integration based on what is visible, but I tried that and still only got back public repos. (Auth`d as integration)

To any future people, I had to additionally request “issues” at the application level. 

Once that was done, I got private/public pull requests back. I guess since every PR is an issue, something requires that permission.