Release 3.0.0

[mpgxvii]

Description:

Authentication & Authorization

• Added Ory Hydra / Kratos integration (auth-code login, new login endpoint, subject-creation webhook).
• Authentication is now profile-based via:
  • managementportal.authServer.internal
  • managementportal.identityServer.internal
• Improved OAuth2/JWT handling, Hydra token support, and client-credentials auth.
• Relaxed security rules for public project endpoints and refined access control.

User Management & Identity

• Added Kratos identity support (researcher/admin/subject) with sync back to ManagementPortal.
• Added email as a subject attribute for Kratos-origin identities.
• Improved stability and error handling in identity services and updates.

Frontend & UX

• Updated login flow to auth-code login with new backend URLs.
• Improved error handling (401 behavior, redirects, error component).
• Added public project info configuration and adjusted redirects/ports for Kratos flows.

Observability & Operations

• Integrated Sentry monitoring.
• Expanded and fixed GitHub Actions (publishing, Docker scans, Snyk, artifacts, scheduled checks).
• Disabled Liquibase analytics and tightened CI/security settings.

Security & Dependency Updates

• Upgraded major dependencies (Spring Security, Jackson, Undertow, Logback, Kotlin, Angular, etc.).
• Addressed security findings (redirect issues, GH action permissions, Docker checks).
• Updated JVM requirement to Java 17 and modernized build configuration.

Bug Fixes & Maintenance

• Fixed issues with unassigning sources, internal OAuth login, UserService, and webhook behavior.
• Improved token retrieval and HTTP client usage.
• Many small fixes across config, tests, Docker, and documentation.
• Fixed E2E tests and restored this in GA (previously skipped temporarily while refactor was ongoing)

Upgrade Notes

• Requires JDK 17.
• Authentication is now profile-based:
  • managementportal.authServer.internal → internal OAuth2 auth server
  • managementportal.identityServer.internal → internal Kratos identity server
  • Both default to true.
• Update Ory/Hydra/Kratos config and redirect URLs for new login and webhook endpoints.
• Review changes to public endpoints and security settings for your deployment.

Checklist:

• The Main workflow has succeeded
• The Gatling tests have passed
• I have logged into the portal running locally with default admin credentials
• I have updated the README files if this change requires documentation update
• I have commented my code, particularly in hard-to-understand areas

[pvannierop]

@mpgxvii I am currently investigating whether the use of Keycloak would be a better fir for us. With this research I come across several points were the MP code can use some improvements so that it would be easier to implement other identity servers. There is a lot of hard coded references to Kratos that should be more isolated in conditional beans.

[mpgxvii]

@mpgxvii I am currently investigating whether the use of Keycloak would be a better fir for us. With this research I come across several points were the MP code can use some improvements so that it would be easier to implement other identity servers. There is a lot of hard coded references to Kratos that should be more isolated in conditional beans.

@pvannierop Yes I saw your updates regarding the URLs. I've made the changes now. Let me know where else to update as well.