NPA-4591: New OAuthV2 policy for CIS2 AAL3 scope conditionally applied in Target PreFlow

ellie-bound1-NHSD · ellie-bound1-NHSD · commit 86cc7787c047 · 2025-03-06T16:00:02.000Z
diff --git a/manifest_template.yml b/manifest_template.yml
@@ -91,8 +91,9 @@ apigee:
 {% if ENV.has_mock_auth | default(false) %}
           - identity-service-mock-{{ ENV.name }}
 {% endif %}
-        scopes:
+        scopes: # Step 1: Configured product to include scopes
           - 'urn:nhsd:apim:user-nhs-login:P9:{{ SERVICE_NAME }}'
+          - 'urn:nhsd:apim:user-nhs-id:aal3:{{ SERVICE_NAME }}'
     specs:
       - name: {{ NAME }}
         path: {{ SERVICE_NAME }}.json
diff --git a/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserCIS2AAL3.xml b/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserCIS2AAL3.xml
@@ -0,0 +1,5 @@
+<!--Step 2: Adding VerifyAccessToken policy to your proxy-->
+<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUserCIS2AAL3">
+  <Operation>VerifyAccessToken</Operation>
+  <Scopes>urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
+</OAuthV2>
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -2,7 +2,13 @@
 <TargetEndpoint name="validated-relationships-service-api-target">
     <PreFlow>
         <Request>
+        <!--Step 3: Configuring the VerifyAccessToken policy to restrict access-->
             <Step>
+                <Condition>(proxy.pathsuffix MatchesPath "/Consent") and (request.verb = "POST")</Condition>
+                <Name>VerifyAccessTokenUserCIS2AAL3</Name>
+            </Step>
+            <Step>
+                <Condition>(proxy.pathsuffix != "/Consent") or (request.verb != "POST")</Condition>
                 <Name>VerifyAccessTokenUserNhsLoginP9</Name>
             </Step>
             <Step>
