From b624767223e2ab33bc3a5615edcb42df2bd31746 Mon Sep 17 00:00:00 2001
From: RyanThomas1214 <ryan_j_thomas@hotmail.co.uk>
Date: Mon, 21 Jul 2025 13:04:07 +0100
Subject: [PATCH] FLAGSAPI-1140 allow both AAL3 and AAL2

---
 manifest_template.yml                                        | 1 +
 proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml | 2 +-
 proxies/live/apiproxy/targets/scr-target.xml                 | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/manifest_template.yml b/manifest_template.yml
index 1dcb9326..7047e026 100644
--- a/manifest_template.yml
+++ b/manifest_template.yml
@@ -72,6 +72,7 @@ apigee:
         scopes:
           - 'urn:nhsd:apim:app:level3:summary-care-record'
           - 'urn:nhsd:apim:user-nhs-id:aal2:summary-care-record'
+          - 'urn:nhsd:apim:user-nhs-id:aal3:summary-care-record'
         quota: {{ ENV.quota | default('300') }}
         quotaInterval: '1'
         quotaTimeUnit: minute
diff --git a/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml b/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml
index 515c24e3..dff19132 100644
--- a/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml
+++ b/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml
@@ -1,4 +1,4 @@
 <OAuthV2 async="false" continueOnError="false" enabled="true" name="OauthV2.VerifyAccessToken">
   <Operation>VerifyAccessToken</Operation>
-  <Scope>urn:nhsd:apim:app:level3:summary-care-record urn:nhsd:apim:user-nhs-id:aal2:summary-care-record</Scope>
+  <Scope>urn:nhsd:apim:app:level3:summary-care-record urn:nhsd:apim:user-nhs-id:aal2:summary-care-record urn:nhsd:apim:user-nhs-id:aal3:summary-care-record</Scope>
 </OAuthV2>
diff --git a/proxies/live/apiproxy/targets/scr-target.xml b/proxies/live/apiproxy/targets/scr-target.xml
index 4cd4e1a1..250e1244 100644
--- a/proxies/live/apiproxy/targets/scr-target.xml
+++ b/proxies/live/apiproxy/targets/scr-target.xml
@@ -29,7 +29,7 @@
       </Step>
       <Step>
         <Name>AssignMessage.SetAccessModeUserRestricted</Name>
-        <Condition>(scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal2:summary-care-record\ .+|^urn:nhsd:apim:user-nhs-id:aal2:summary-care-record\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal2:summary-care-record$|^urn:nhsd:apim:user-nhs-id:aal2:summary-care-record$)")</Condition>
+        <Condition>(scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal2:summary-care-record\ .+|^urn:nhsd:apim:user-nhs-id:aal2:summary-care-record\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal2:summary-care-record$|^urn:nhsd:apim:user-nhs-id:aal2:summary-care-record$)" OR scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal3:summary-care-record\ .+|^urn:nhsd:apim:user-nhs-id:aal3:summary-care-record\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal3:summary-care-record$|^urn:nhsd:apim:user-nhs-id:aal3:summary-care-record$)")</Condition>
       </Step>
       <Step>
         <Name>FlowCallout.UserRoleService</Name>