Merge branch 'master' into dev/NPA-4517-post-headers

kamran-iqbal4-NHSD · web-flow · commit ebfebb9dcbfb · 2025-03-10T10:02:47.000Z
diff --git a/manifest_template.yml b/manifest_template.yml
@@ -91,8 +91,9 @@ apigee:
 {% if ENV.has_mock_auth | default(false) %}
           - identity-service-mock-{{ ENV.name }}
 {% endif %}
-        scopes:
+        scopes: # Step 1: Configured product to include scopes
           - 'urn:nhsd:apim:user-nhs-login:P9:{{ SERVICE_NAME }}'
+          - 'urn:nhsd:apim:user-nhs-id:aal3:{{ SERVICE_NAME }}'
     specs:
       - name: {{ NAME }}
         path: {{ SERVICE_NAME }}.json
diff --git a/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml b/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml
@@ -1,4 +1,5 @@
-<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUserNhsLoginP9">
+<!--Step 2: Adding VerifyAccessToken policy to your proxy-->
+<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUser">
   <Operation>VerifyAccessToken</Operation>
-  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api</Scopes>
+  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
 </OAuthV2>
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -3,7 +3,7 @@
     <PreFlow>
         <Request>
             <Step>
-                <Name>VerifyAccessTokenUserNhsLoginP9</Name>
+                <Name>VerifyAccessTokenUser</Name>
             </Step>
             <Step>
                 <Name>FlowCallout.ApplyRateLimiting</Name>
@@ -20,6 +20,14 @@
             <Step>
                 <Name>AddUserAuthHeaders</Name>
             </Step>
+            <Step>
+                <Name>RaiseFault.401Unauthorized</Name>
+                <Condition>accesstoken.auth_level != "aal3" and proxy.pathsuffix = "/FHIR/R4/Consent" and request.verb = "POST"</Condition>
+            </Step>
+            <Step>
+                <Name>RaiseFault.401Unauthorized</Name>
+                <Condition>accesstoken.auth_level != "p9" and (proxy.pathsuffix != "/FHIR/R4/Consent" or request.verb != "POST")</Condition>
+            </Step>
             <Step>
                 <Name>RaiseFault.415UnsupportedMediaType</Name>
                 <Condition>request.verb = "POST" and request.header.Content-Type != "application/fhir+json" and request.header.Content-Type != "application/fhir+json; charset=utf-8"</Condition>
