APM-5429 forward acr_values parameter for combined CIS2 auth

NHSDigital · Aug 20, 2024 · 06aafa4 · 06aafa4
1 parent b29fed1
commit 06aafa4
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetAuthorizationPRRedirect.xml b/proxies/live/apiproxy/policies/AssignMessage.SetAuthorizationPRRedirect.xml
@@ -2,7 +2,7 @@
   <Set>
     <StatusCode>302</StatusCode>
     <Headers>
-      <Header name="Location">{identity-service-config.cis2.authorize_endpoint}?response_type={request.queryparam.response_type}&amp;client_id={identity-service-config.cis2.client_id}&amp;redirect_uri={identity-service-config.cis2.redirect_uri}&amp;scope=openid&amp;state={apigee.state}&amp;prompt=login</Header>
+      <Header name="Location">{identity-service-config.cis2.authorize_endpoint}?response_type={request.queryparam.response_type}&amp;client_id={identity-service-config.cis2.client_id}&amp;redirect_uri={identity-service-config.cis2.redirect_uri}&amp;scope=openid&amp;state={apigee.state}&amp;prompt=login&amp;acr_values={cis2.acr_values}</Header>
     </Headers>
   </Set>
   <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetAuthorizationRedirectCis2.xml b/proxies/live/apiproxy/policies/AssignMessage.SetAuthorizationRedirectCis2.xml
@@ -2,7 +2,7 @@
   <Set>
     <StatusCode>302</StatusCode>
     <Headers>
-      <Header name="Location">{identity-service-config.cis2.authorize_endpoint}?response_type={request.queryparam.response_type}&amp;client_id={identity-service-config.cis2.client_id}&amp;redirect_uri={identity-service-config.cis2.redirect_uri}&amp;scope=openid%20nationalrbacaccess&amp;state={apigee.state}&amp;max_age=300</Header>
+      <Header name="Location">{identity-service-config.cis2.authorize_endpoint}?response_type={request.queryparam.response_type}&amp;client_id={identity-service-config.cis2.client_id}&amp;redirect_uri={identity-service-config.cis2.redirect_uri}&amp;scope=openid%20nationalrbacaccess&amp;state={apigee.state}&amp;max_age=300&amp;acr_values={cis2.acr_values}</Header>
     </Headers>
   </Set>
   <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetDefaultAcrValues.xml b/proxies/live/apiproxy/policies/AssignMessage.SetDefaultAcrValues.xml
@@ -0,0 +1,7 @@
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.SetDefaultAcrValues">
+    <AssignVariable>
+        <Name>cis2.acr_values</Name>
+        <Template>{request.queryparam.acr_values}</Template>
+        <Default>AAL3_ANY</Default>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/proxies/default.xml b/proxies/live/apiproxy/proxies/default.xml
@@ -281,6 +281,10 @@
                     <Name>RaiseFault.VerifyResponseType</Name>
                     <Condition>request.queryparam.response_type != "code"</Condition>
                 </Step>
+                <!-- Extract the acr_values parameter for CIS2 auth redirect, using a default value if not provided  -->
+                <Step>
+                    <Name>AssignMessage.SetDefaultAcrValues</Name>
+                </Step>
                 <!-- introducte dummy token policy to get scopes, filter and save them into the cache -->
                 <Step>
                     <Name>AssignMessage.SetDummyGrantType</Name>