When using the MinimalPermissionsGuidance plugin to check for excessive permissions, the report contains OpenId permission scopes which are included on the token which are explicitly requested by the app when asking for an access token.
We should consider adding a new configurable property called permissionsToExclude to exclude these permissions from the report. The property default should include the default profile, openid and email scopes.
Great suggestion that'll help decrease false-positives and focus on what matters. Would it be clearer to name the property permissionsToIgnore or is permissionsToExclude clearer after all?
When using the
MinimalPermissionsGuidance
plugin to check for excessive permissions, the report contains OpenId permission scopes which are included on the token which are explicitly requested by the app when asking for an access token.We should consider adding a new configurable property called
permissionsToExclude
to exclude these permissions from the report. The property default should include the defaultprofile
,openid
andemail
scopes.