Exclude OpenId permissions from MinimalPermissionsGuidance output
garrytrinder opened this issue · 2 comments
garrytrinder commented
When using the MinimalPermissionsGuidance plugin to check for excessive permissions, the report contains OpenId permission scopes which are included on the token which are explicitly requested by the app when asking for an access token.
We should consider adding a new configurable property called permissionsToExclude to exclude these permissions from the report. The property default should include the default profile, openid and email scopes.
waldekmastykarz commented
Great suggestion that'll help decrease false-positives and focus on what matters. Would it be clearer to name the property permissionsToIgnore or is permissionsToExclude clearer after all?
waldekmastykarz commented
Let's use permissionsToIgnore