Don't send TrnLookupStatus claim without TRN (#724)

DFE-Digital · Sep 20, 2023 · 3d714a0 · 3d714a0
1 parent 223a5c5
commit 3d714a0
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs b/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs
@@ -91,9 +91,6 @@ public async Task<IReadOnlyCollection<Claim>> GetPublicClaims(Guid userId, TrnMa
 
         if (trnMatchPolicy is not null)
         {
-            Debug.Assert(user.TrnLookupStatus.HasValue);
-            claims.Add(new Claim(CustomClaims.TrnLookupStatus, user.TrnLookupStatus!.Value.ToString()));
-
             var haveSufficientTrnMatch = user.Trn is not null &&
                 (trnMatchPolicy == TrnMatchPolicy.Default ||
                 user.TrnVerificationLevel == TrnVerificationLevel.Medium ||
@@ -102,7 +99,10 @@ public async Task<IReadOnlyCollection<Claim>> GetPublicClaims(Guid userId, TrnMa
 
             if (haveSufficientTrnMatch)
             {
+                Debug.Assert(user.Trn is not null);
+                Debug.Assert(user.TrnLookupStatus.HasValue);
                 claims.Add(new Claim(CustomClaims.Trn, user.Trn!));
+                claims.Add(new Claim(CustomClaims.TrnLookupStatus, user.TrnLookupStatus!.Value.ToString()));
 
                 if (trnMatchPolicy == TrnMatchPolicy.Strict)
                 {