Skip to Main Content
Forums

Announcements

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

Breaking Change: iss field in id_token format update

Andrew Fagan-OracleJan 6 2025 — edited Jan 6 2025

This post is to announce a breaking (behaviorally non-passive) change to the Authorization Server that will affect any applications leveraging OpenID Connect via the SMART "openid" scope. After a series of extensive internal reviews, we have determined that this breaking change is unavoidable in order to achieve full compliance with certain requirements of version 2.0 of the SMART App Launch specification [1]. This compliance, in turn, is required by the ASTP/ONC's Health Data, Technology, and Interoperability ("HTI-1") Final Rule under the 21st Century Cures Act [2].

Specifically, we will be truncating the contents of the issuer ("iss") field in our OpenID Connect identity tokens ("id_token") as follows, using the "developer sandbox" as an example tenant:

We expect that applications that leverage OpenID Connect identity tokens will need to make code and/or configuration changes as a result. For example, applications might decide to accept both the old and new formats, or they might decide to implement a feature-flag of some sort. Further technical guidance can be found at [3] and [4].

We must make this change in 2025, in order to meet the HTI-1 compliance deadline of January 1, 2026. We will therefore be applying this change on the following dates:

  • Developer-Facing "Sandbox" Environments: 2025-02-06
  • Customer-Facing Non-Production Environments: 2025-05-15
  • Customer-Facing Production Environments: 2025-08-07

Additional Notes:

  • OpenID Connect identity tokens are only issued by the Authorization Server when an application requests SMART's "openid" scope; if your application does not use this scope, it is not impacted.
  • Responses from the /.well-known/smart-configuration, /.well-known/openid-configuration, and /tokeninfo endpoints will also change to match the new issuer format.
  • Other issuer fields in other types of token (e.g. access tokens) will not be changing.

[1] https://hl7.org/fhir/smart-app-launch/STU2/conformance.html#metadata
[2] https://www.healthit.gov/topic/laws-regulation-and-policy/health-data-technology-and-interoperability-certification-program
[3] https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#steps-for-using-an-id-token
[4] https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Pinned by Andrew Fagan-Oracle on Jan 6 2025
Locked 4 days ago
Added on Jan 6 2025
#authorization
3 comments
628 views