HMPPS Assess Risks and Needs (ARNS) Handover Service is a (mostly) backend service built for handling authentication and shared context data across OASys and ARNS-space applications. It is managed by both the ARNS and Sentence Planning (SP) team as both os their projects rely on it for authentication.
The ARNS Handover Service operates as follows:
Handover Context Payload:
- A client (OASys) authorized through HMPPS Auth sends a payload of contextual data to the
endpoint in the ARNS. Handover Service. This payload includes information about the principal, the subject, and additional context related to HMPPS Strength-Based Needs Assessment (SBNA/SAN) or HMPPS Sentence Plan (SP).
- A client (OASys) authorized through HMPPS Auth sends a payload of contextual data to the
Handover Link Generation:
- A handover link is generated and returned to the client. This link should be presented to the user.
User Authentication:
- When the user clicks on the handover link, they are authenticated within the ARNS Handover Service. A cookie is stored on the user's browser to maintain this authentication session.
Redirection to Intended Service:
- The ARNS Handover Service then redirects the user to the intended service (SBNA/SAN or SP).
OAuth2 Authorization:
- The intended service initiates an OAuth2 authorization code flow grant with the user and the ARNS Handover Service. Note that intended service must have a registered client within the ARNS Handover Service, and therefore know the client ID and client secret to perform this flow.
Access Token Retrieval:
- After the authorization code flow is completed, the intended service receives an access token for the user.
Contextual Data Exchange:
- The intended service can then use the access token to exchange for the contextual information provided in step 1.
To run this service in your local environment, follow these steps:
Set the Active Spring Profile to
- The
profile configures various application properties, enabling the ARNS Handover Service to work with a client service hosted atlocalhost:3000
- The
Run a Redis Instance
- Ensure a passwordless Redis instance is running on
- Ensure a passwordless Redis instance is running on
Currently, the ARNS Handover Service does not provide a user interface for generating handover sessions and
their subsequent handover links. Instead, a cURL request can be made to the /handover
endpoint to create a session.
curl -X "POST" "http://localhost:8080/handover" \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{
"subject": {
"gender": 0,
"location": 0,
"crn": "X483319",
"sexuallyMotivatedOffenceHistory": true,
"dateOfBirth": "1990-01-01",
"familyName": "John",
"givenName": "Smith",
"pnc": "01/1000000"
"assessmentContext": {
"oasysAssessmentPk": "913ea2fc-049f-41c6-a19e-be2e8725712b",
"assessmentUUID": "d8cb7e78-1d55-4153-a2ed-a73fefc361a8"
"principal": {
"displayName": "Jane Doe",
"accessMode": "READ_WRITE",
"identifier": "123ABC"
This request will return an object formatted like
"handoverSessionId": "{HANDOVER_SESSION_UUID}",
"handoverLink": "http://localhost:8080/handover/{HANDOVER_CODE}"
where the value of property handoverLink
will be a URL that can be used within the browser to begin the handover
- Switch to the Kubernetes context/namespace of the Redis instance you are connecting to
make redis-port-forward-pod
to create a Redis port-forwarding pod in the namespacemake redis-port-forward
to forward traffic from your machine to the pod
Then open a new terminal and either:
make redis-connect
to connect to the remote Redis instance on the command line
make redis-auth-token
to output an authentication token for connecting to Redis via your Database IDE
Redis command to extract the data stored in a session:
HGETALL HandoverContext:{handover_session_id}