Production setup
This page provides recommendations when setting up a production deployment.
Keycloak Oauth2 clients
We use Keycloak as our IAM server that stores users, groups, and the access roles of those groups. Before starting the set up of the Keycloak Oauth clients ensure the Service Account
Role is disabled.
Separate OAuth clients should be configured for the ETL Pipes/Analytics and the FHIR Web systems.
Android client
Enable Direct Access Grant only - This client should be configured as a Public
client. To fetch a token you will not need the client secret.
This will use the Resource Credentials/Password
Grant type.
Do not store any sensitive data like password credentials or secrets in your production APK e.g. in the local.properties
file.
FHIR Web client
Enable Client Authentication and enable Standard flow. Implicit flow should only be used for local dev testing - it can be configured for stage and maybe preview but NOT production..
This will use the Authorization Code
Grant type
Data pipelines/Analytics client
Enable Client Authentication and enable Service Account Roles.
This will use the Client Credentials
Grant type.