Closed jonnyry closed 4 years ago
Would the Spine Proxy not be the best place to do this check and enforce the correct ASID for the ORG?
Current Consumer scripts do expect that we check to ensure the SSP From ASID is from the request originating endpoint and not the 'Manufacturer ASID' or fixed value
For consumer systems that are used across multiple organisations, ensure the consumer system is sending the correct ASID in the
Ssp-From
header for the organisation that is making the request:https://developer.nhs.uk/apis/gpconnect-1-2-3/integration_system_topologies.html#consumer-system---shared-mhs
https://developer.nhs.uk/apis/gpconnect-1-2-3/overview_release_notes_1_2_3.html#clarify-asid-requirements-and-topologies-for-aggregators
Essentially, consumer systems that are deployed across multiple organisations MUST NOT send a single fixed ASID in
Ssp-From
all of the time, the ASID must relate to the organisation making the request.