Lets say I have an application and my application has been running for years requesting access of users. The application in question was requesting way more access then was needed or the application has been changed and no longer needs some of the scopes which it is requesting.
The offending scopes have been removed so new users are no longer prompted for access that we don't need.
However we now have a number of older users whose refresh tokens grant us access which we don't need. I would like to fix this by removing the no longer needed scopes from there authorization. The easiest solution would probably be to just revoke their tokens and require that they re-authorize, however i think this would be unacceptable to the customers.
Examples of scopes :
https://www.googleapis.com/auth/analytics View and manage your Google Analytics data
The application is asking for full access. The application doesn't need full access
https://www.googleapis.com/auth/analytics.readonly View your Google Analytics data
Is it possible to remove scopes from authorization? I know it's possible to request additional permissions but i haven't been able to find a way of removing excessive permissions.
No it isn't possible.
Scopes aren't nested. So although logically analytics.readonly is a subset of analytics, that's not how they are viewed internally. Thus there is no downgrade from analytics to analytics.readonly, as they are completely separate scopes. Therefore, since you must go through the additional-scopes process to acquire analytics.readonly, you might as well revoke the existing token, that being the only way to remove the existing analytics grant.