We recently attempted to go through the process of verification with Google for OAuth for the Google Drive repo integration with users outside our Google domain. After several weeks and hoops jumped through, I think we're going to have to disable the repo because the next step in the process involves a lengthy (and likely costly) process of CASA Tier 3  security assessment.

In the back and forth, Google suggested we would not need this assessment if we only requested the auth/drive.file scope versus the auth/drive scope. However since Moodle requires the latter, we don't really have that option.

Is it possible to modify the integration so only the drive.file scope is needed? Or is there some functionality the integration provides that requires the larger scope?

Also curious if anyone has successfully been through the OAuth verification process. It is quite arduous.

Thanks!

Edit by michaelh to add additional note: We need to also check whether any other specific scopes are required alongside drive.file to maintain all current functionality with Drive and avoid feature loss, for example teacher access controlled links functionality in assignment.