From 28b8fc02c6080e608181f65e675cfe8dd7bdc21f Mon Sep 17 00:00:00 2001
From: Sophie Clayton <sophie.clayton12@nhs.net>
Date: Wed, 12 Jun 2024 12:18:01 +0100
Subject: [PATCH 1/2] APM-5380 try to get the token exchange flow vars from the
 subject token

---
 ...uthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml b/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml
index 6953edf7..6d497719 100644
--- a/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml
+++ b/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml
@@ -21,9 +21,9 @@
         <Attribute name="id_token-subject" ref="jwt.VerifyJWT.SubjectToken.claim.subject" display="true" />
         <Attribute name="id_token" display="true" ref="request.formparam.subject_token" />
         <Attribute name="id_token-issuer" ref="jwt.VerifyJWT.SubjectToken.claim.issuer" display="true" />
-        <Attribute name="id_token-acr" ref="jwt.DecodeJWT.FromExternalIdToken.claim.acr" display="true" />
-        <Attribute name="id_token-amr" ref="jwt.DecodeJWT.FromExternalIdToken.claim.amr" display="true" />
-        <Attribute name="id_token-id-assurance-level" ref="jwt.DecodeJWT.FromExternalIdToken.claim.id_assurance_level" display="true" />
+        <Attribute name="id_token-acr" ref="jwt.VerifyJWT.SubjectToken.claim.acr" display="true" />
+        <Attribute name="id_token-amr" ref="jwt.VerifyJWT.SubjectToken.claim.amr" display="true" />
+        <Attribute name="id_token-id-assurance-level" ref="jwt.VerifyJWT.SubjectToken.claim.id_assurance_level" display="true" />
         <Attribute name="grant_type" display="true">urn:ietf:params:oauth:grant-type:token-exchange</Attribute>
         <Attribute name="auth_type" ref="splunk.auth.type" display="true" />
         <Attribute name="auth_grant_type" ref="splunk.auth.grant_type" display="true" />

From a5c93e3313469a5ea836106ca60749734dc004bc Mon Sep 17 00:00:00 2001
From: Sophie Clayton <sophie.clayton12@nhs.net>
Date: Wed, 12 Jun 2024 12:41:07 +0100
Subject: [PATCH 2/2] APM-5380 add id_assurance_level to subject token claim
 for tests

---
 e2e/tests/conftest.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/e2e/tests/conftest.py b/e2e/tests/conftest.py
index 131e745e..f7c90b6b 100644
--- a/e2e/tests/conftest.py
+++ b/e2e/tests/conftest.py
@@ -103,6 +103,7 @@ def cis2_subject_token_claims():
         "aud": "969567331415.apps.national",
         "c_hash": "bc7zzGkClC3MEiFQ3YhPKg",
         "acr": "AAL3_ANY",
+        "id_assurance_level": int(3),
         "org.forgerock.openidconnect.ops": "-I45NjmMDdMa-aNF2sr9hC7qEGQ",
         "s_hash": "LPJNul-wow4m6Dsqxbning",
         "azp": "969567331415.apps.national",