http://hl7.org/fhir/us/udap-security/2021Sep/b2b.html#b2b-authorization-extension-object anticipates that an organization may be issuing requests on behalf of an individual. The protocol should offer strong support for the case where that individual has been identity-proofed by a service external to the UDAP client (e.g., for a patient using a client offered by one HIPAA covered entity to request data from another HIPAA covered entity). To address this: 

• Add an "extension" property like "subject_id_token" which allows a requester to pass through a (potentially externally sourced) set of signed identity claims along with a request. This allows the server to evaluate the request in the context of verified details from an ID proofing service that might be distinct from the requesting party. This optional value would be a signed id_token as specified by OIDC Core.