Roll Out/Roll Back Strategy

We prefer use Keycloak realms settings as ‘feature flags’ to block access to 1up Dev Portal.

Roll Out

Here we use realm settings > Login > User Registration. This is turned off in core-prod pre-go live which prevents any new users from registering for the Dev Portal, effectively putting the whole app behind a flag. The Core UI team has a single user pre-registered in production they are using for setup purposes until we go live.

Roll Back

If something goes wrong and we need to instantly ‘turn off’ the Dev Portal, we can do either of the following:

Disable the 1up Dev Portal Client: this means that at the registration link, users will see an error screen from Keycloak that says the app is disabled. To do this, in the dev-portal realm, find and click on the client used for the Dev Portal app (id cd3a8c99-dacf-434e-bef6-3a91b168a6f7) and in the upper right, uncheck the ‘enabled’ setting.

Disable the entire realm: this will disable the entire realm, and at the login link, users will see an error saying the app is disabled. To do this, go to the dev-portal realm, click into the realm settings tab, and in the upper right, uncheck the ‘enabled’ box.

Block a user

If we detect a bad actor account and need to immediately expel them from the Dev Portal for security purposes, we can do one of the following flows:

The quickest, dirtiest, and most thorough way to do this is:

  1. Log in to Keycloak as an admin account

  2. Find their user account and change their password.

  3. Log in to the Dev Portal as their account with the new password, and delete their clients through the UI. Doing it this way will ensure sync’d clients in -member realms are immediately deleted also.

  4. Then delete or disable their account in Keycloak.

Otherwise, lighter-handed and reversible steps are:

  1. Disable their user account: Click into their user, and uncheck the ‘enabled’ setting. Click save.

  2. Disable the clients they’ve created:

  1. Query the keycloak_user_client_mapping table for client id’s associated with their Keycloak user id.

  2. Find and click into those clients in the Keycloak UI, and in the upper right, uncheck ‘enabled’. Click save.

  3. Also locate clients with the same client id’s in all -member realms and disable those as well.