R4 Authorization Breaking Change

[Matthew Beermann (Cerner)]

Cross-posting from [1]; the exact deployment date is TBD but is expected to occur in Q2:

This solution change applies to applications that use OpenID Connect (OIDC), which returns an ID token containing the URL to a Fast Healthcare Interoperability Resources (FHIR) resource representing the current user (fhirUser field).

If a user is known to the electronic health record (EHR) as a patient, but selects someone else's data to send to an application (such as a dependent), the Authorization server will now return the URL to the user's Person resource. Previously, the URL to the Patient resource was returned in this scenario.

This change is required for the Cerner implementation of FHIR to comply with certain requirements of the Office of the National Coordinator for Health Information Technology (ONC) Final Rules implementing the 21st Century Cures Act.

[1] https://wiki.cerner.com/display/OpenDevRN/Cerner+Ignite+APIs+for+Millennium+%28FHIR%29+R4

[Matthew Beermann (Cerner)]

Update: This change is currently planned for deployment on the evening of Tuesday, June 7th, 2022.

[Andrew Hosokawa]

Is this currently deployed to the development sandbox so we can test for any issues?

[Matthew Beermann (Cerner)]

While some changes can be (and are) rolled out in that fashion, this is unfortunately not one of them.