In your original post, I think you must have meant the
Secure Sandbox, since the Open Sandbox does not have authentication or authorization (that's what makes it open).
If your application is patient-facing, the FHIR conformance document advertises a "manage" endpoint, and log out is one of the options offered on that page. See
http://docs.smarthealthit.org/authorization/conformance-statement/ and
http://fhir.cerner.com/authorization/ for further details. Quoting from the latter's FAQ:
- How can my application participate in log out
mechanisms provided by the organization’s single
sign-on (SSO) ecosystem?
While the Cerner authorization server provides OpenID
Connect support, it does not currently implement any
of the draft log-out specifications currently
proposed by the community. Cerner continues to track
on developments in this ecosystem.
As an alternative, you may offer the user a link to
“Manage Authorized Applications”, which allows the user
to log out via their SSO system.