Skip to main content

Production setup

This page provides recommendations when setting up a production deployment.

Keycloak Oauth2 clients

We use Keycloak as our IAM server that stores users, groups, and the access roles of those groups. Before starting the set up of the Keycloak Oauth clients ensure the Service Account Role is disabled.
Separate OAuth clients should be configured for the ETL Pipes/Analytics and the FHIR Web systems.

Android client

Enable Direct Access Grant only - This client should be configured as a Public client. To fetch a token you will not need the client secret. This will use the Resource Credentials/Password Grant type.


Do not store any sensitive data like password credentials or secrets in your production APK e.g. in the file.

FHIR Web client

Enable Client Authentication and enable Standard flow. Implicit flow should only be used for local dev testing - it can be configured for stage and maybe preview but NOT production.. This will use the Authorization Code Grant type

Data pipelines/Analytics client

Enable Client Authentication and enable Service Account Roles. This will use the Client Credentials Grant type.