Attempt to reduce MSA Access Scope

LanceMcCarthy / MvpApi

An application for Microsoft MVPs to easily browse and upload contributions

MIT License

36 stars 10 forks source link

Attempt to reduce MSA Access Scope #29

Closed LanceMcCarthy closed 6 years ago

LanceMcCarthy commented 6 years ago

The recommended scope from the API documentation is the following:

"wl.emails%20wl.basic%20wl.offline_access%20wl.signin"

This results in the following permissions request:

I will attempt to remove each scope to see what the lowest scope possible so that hopefully I can remove the "contacts and friends" permission

LanceMcCarthy commented 6 years ago

I whittled this down to the lowest required scope wl.signin and it still has contacts/friends. There's nothing I can do about this other than to make it clear that the app does not ever access that info.

For more info on MS OAuth scope, see here https://msdn.microsoft.com/en-us/library/hh243646.aspx#types

LanceMcCarthy commented 6 years ago

For future reference, here are the docs for Live Connect services using OAuth 2.0 https://msdn.microsoft.com/en-us/library/hh243647.aspx