Developer Group for CMS Blue Button API
Hello Blue Button 2.0 Community,
In order to ensure more robust FHIR conformance and best practices with the SMART App Launch v2.2.0, we’re implementing four changes to the Blue Button 2.0 API. We are giving all existing production applications a 90-day window to prepare for these changes.
The four changes are as follows:
State parameters will be mandatory - action required (see below for details)
PKCE parameters will be mandatory - action required (see below for details)
We will allow POST method for authorization requests - no action required
We will support SMART v2 scopes - no action required
The new changes take effect in about 90 days on Monday, December 1. This should give you ample time to prepare your applications. If you have concerns about this timeline, please reach out and let us know.
How do I know if my application already uses state and PKCE parameters?
If you already have an app approved with BB2.0, we will email you over the coming days if our records indicate that your application is not using the state and/or PKCE parameter and to remind you to support the upcoming changes to avoid breaking new authorizations (requests will result in a 400 error).
Note that these changes will NOT impact existing authorizations, and you will be able to continue to pull data for enrollees that have previously authorized your application to do so.
Do I need to change anything in my app?
If your application is already using PKCE and state parameters for authorization calls, no action is required.
If your application does not currently use state and PKCE parameters, you will need to update your application to ensure they are being used when making new authorization requests to BB2.0.
Update and test your approved app to accommodate this change by December 1 when we will be enforcing this requirement for all applications. If you do not support the required state and PKCE parameter changes, this will result in the inability to complete new BB2.0 authorization flows for users.
While SMART v2 scopes are not required, we highly recommend adopting them, as future versions of the Blue Button 2.0 API may not support v1 scopes.
Sandbox
As part of this effort, we will be enforcing the state and PKCE parameters in the Sandbox environment in 14 days - Thursday, September 11th. At that time, all current and future sandbox apps that do not use state and PKCE parameters will result in a broken authorization flow for new authorizations.
Additionally, the /authorize endpoint is available for testing the new requirements for state and PKCE parameters. This endpoint will also support the POST method for authorization requests after September 11th.
While current and future Sandbox applications will not be required to enable SMART v2 scopes, they will not benefit from the “write once, use anywhere” development advantages of SMART v2 scopes.
Documentation
To read our documentation about these changes, check out the following sections on our website:
Support
If you need help as you’re implementing these features, please contact us at BlueButtonAPI @cms.hhs.gov or post your questions here in the Google Group.
-The Blue Button 2.0 API Team
Developer Group for CMS Blue Button API
If you have questions, please contact us at BlueButtonAPI @cms.hhs.gov or post your questions here in the Google Group.