Enable support for encrypted querystring parameter values in Azure AD OIDC context launch URL

The URL to launch the Interweave Portal in the context of a patient record using Azure AD OpenID Connect service for single sign-on takes the following format:

https://<Subdomain>.portal.<Environment>.<Region>.nhs.uk/Login/Provider/<Provider Key>?pat.nhs=<NHS number>

[fixed part highlighted]

To launch the Portal from a Line of Business [LoB] system, the system should display a link that opens a new browser tab/window with a URL comprised of the 'fixed part' appended with the NHS number of the patient in context.

However, because the patient's NHS number is provided in clear-text, it is possible for a user who is authorised to access the Care Record to copy the fixed part of the URL and append any NHS number of their choosing, and access records outside of the LoB system patient context.

This may be beneficial to some organisations who wish to context launch from multiple LoB systems, however, some members of the Notts Care Record community have expressed concern and have asked whether the context launch can be restricted strictly to the patient context in their chosen LoB system by configuring the LoB system to encrypt NHS number value of the 'pat.nhs' parameter.

For example, SystmOne can be configured to provide a toolbar button to launch the Portal from the context of a patient's record. The SystmOne toolbar button configuration has a mechanism to encrypt any generated URL querysting parameter values using a provided AES key and initialization vector [IV].

This idea aims to promote the development of the Portal OIDC context launch mechanism to support encrypted URL querysting parameter values from SystmOne and potentially other LoB systems.