Trying to reproduce previous behaviour

tests/api_tests.py

@@ -321,22 +321,11 @@ def test_token_exchange_sad_path(immunisation_history_app: Dict, environment: st
     _assert_unauthorized_client_exception(exc_info=exc_info)
 
 
-#  There appears to be a naming change in progress which is why both versions of the scope for aal3 appear
 @pytest.mark.e2e
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "test_product_and_app",
     [
-        {
-            "scopes": ["urn:nhsd:apim:user-nhs-id:aal3:immunisation-history"],
-            "requested_proofing_level": "P9",
-            "identity_proofing_level": "P9",
-        },
-        {
-            "scopes": ["urn:nhsd:apim:user-nhs-id:aal3:immunisation-history"],
-            "requested_proofing_level": "P5",
-            "identity_proofing_level": "P9",
-        },
         {
             "scopes": ["urn:nhsd:apim:user-nhs-cis2:aal3:immunisation-history"],
             "requested_proofing_level": "P9",
@@ -350,21 +339,33 @@ def test_token_exchange_sad_path(immunisation_history_app: Dict, environment: st
     ],
     indirect=True,
 )
-async def test_user_restricted_access_not_permitted(test_product_and_app, service_url: str, environment: str,
-                                                    _jwt_keys):
+async def test_user_restricted_access_not_permitted(test_product_and_app, service_url: str, environment: str):
     await asyncio.sleep(1)  # Add delay to tests to avoid 429 on service callout
 
     test_product, test_app = test_product_and_app
 
-    subject_token_claims = {
-        "identity_proofing_level": test_app["request_params"]["identity_proofing_level"]
+    token_response = conftest.get_authorization_code_token(app=test_app, environment=environment)
+
+    correlation_id = _generate_correlation_id('test_user_restricted_access_not_permitted')
+
+    authorised_headers = {
+        "Authorization": f"Bearer {token_response['access_token']}",
+        "NHSD-User-Identity": conftest.nhs_login_id_token(
+            allowed_proofing_level=test_app["request_params"]["identity_proofing_level"],
+        ),
+        "X-Correlation-ID": correlation_id
     }
-    with pytest.raises(RuntimeError) as exc_info:
-        conftest.get_token_nhs_login_token_exchange(test_app=test_app, environment=environment,
-                                                    _jwt_keys=_jwt_keys,
-                                                    subject_token_claims=subject_token_claims)
 
-    _assert_unauthorized_client_exception(exc_info=exc_info)
+    resp = requests.get(
+        f'{service_url}/{_valid_uri_procedure_below(VALID_NHS_NUMBER, "90640007")}',
+        headers=authorised_headers
+    )
+    assert resp.status_code == 401
+    body = resp.json()
+    assert body["resourceType"] == "OperationOutcome"
+    assert body["issue"][0]["severity"] == "error"
+    assert body["issue"][0]["diagnostics"] == "Provided access token is invalid"
+    assert body["issue"][0]["code"] == "forbidden"
 
 
 @pytest.mark.e2e

tests/conftest.py

@@ -7,6 +7,7 @@
 
 import jwt
 import pytest
+import requests
 
 from pytest_nhsd_apim.apigee_apis import (
     ApigeeClient,
@@ -112,6 +113,19 @@ def get_token(
     return token_response
 
 
+def get_authorization_code_token(
+    app: Dict, environment: str
+):
+    data = {"client_id": app["credentials"][0]["consumerKey"],
+            "client_secret": app["credentials"][0]["consumerSecret"],
+            "grant_type": "authorization_code"}
+
+    resp = requests.post(f"{get_oath_url(environment)}/token", data=data)
+    if resp.status_code != 200:
+        raise RuntimeError(f"{resp.status_code}: {resp.text}")
+    return resp.json()
+
+
 def get_authorised_headers(client_app: Dict, environment: str, _jwt_keys):
     token = get_token(app=client_app, environment=environment, _jwt_keys=_jwt_keys)
     return {"Authorization": f'Bearer {token["access_token"]}'}