RADAR-base
diff --git a/‎README.md‎
Lines changed: 64 additions & 24 deletions b/‎README.md‎
Lines changed: 64 additions & 24 deletions
diff --git a/‎src/main/docker/app.yml‎
Lines changed: 14 additions & 77 deletions b/‎src/main/docker/app.yml‎
Lines changed: 14 additions & 77 deletions
diff --git a/‎src/main/docker/managementportal.yml‎
Lines changed: 4 additions & 0 deletions b/‎src/main/docker/managementportal.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/main/docker/managementportal_dockerhub/docker-compose.yml‎
Lines changed: 0 additions & 18 deletions b/‎src/main/docker/managementportal_dockerhub/docker-compose.yml‎
Lines changed: 0 additions & 18 deletions
@@ -57,13 +57,22 @@ docker-compose files.
    ```shell
    keytool -genkeypair -alias radarbase-managementportal-ec -keyalg EC -validity 3650 -keysize 256 -sigalg SHA256withECDSA -storetype PKCS12 -keystore src/main/docker/etc/config/keystore.p12 -storepass radarbase -keypass radarbase
    ```
-3. Now, we can start the stack with `docker-compose -f src/main/docker/management-portal.yml up -d`.
+3. Now, we can start ManagementPortal and its database with `docker-compose -f src/main/docker/managementportal.yml up -d`.
 
-This will start a Postgres database, ManagementPortal and
-the [kratos identity provider stack](https://www.ory.sh/docs/kratos/ory-kratos-intro). The default password for the
-`admin`
-account is `admin`. An angular live development server to access the managementportal can be started using the
+This will start a Postgres database and ManagementPortal. The default password for the `admin`
+account is `admin`. An Angular live development server to access the managementportal can be started using the
 `yarn start` command (see [Development](#development)).
+4. (Optional, recommended) Start the external identity and authentication stack based on
+   [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro) and
+   [Ory Hydra](https://www.ory.sh/docs/hydra/):
+
+   ```bash
+   docker-compose -f src/main/docker/ory_stack.yml up -d
+   ```
+
+   This will start Kratos, Hydra and the `radar-self-enrolment-ui` service that provides the login/registration pages.
+   **Ensure that `radar-self-enrolment-ui` is running**: ManagementPortal’s login flow redirects the browser to this UI
+   (via Hydra), so if it is not available the login page will not work.
 
 ### Build from source
 
@@ -90,8 +99,15 @@ You must install and configure the following dependencies on your machine to run
    started using the `yarn start` command (see [Development](#development)).
 6. You can log in to the application using `admin:admin`. Please don't forgot to change the password of `admin`, if you
    are using the application on production environment.
-7. The identity server stack can be started in docker by using the docker compose command
-   `docker-compose -f .\src\main\docker\app.yml up -d kratos kratos-selfservice-ui-node kratos-migrate postgresd-kratos mailslurper`
+7. The identity and authentication server stack (Kratos, Hydra and self-enrolment UI) can be started in Docker by using
+   the docker compose command:
+
+   ```bash
+   docker-compose -f src/main/docker/ory_stack.yml up -d
+   ```
+
+   Make sure that the `radar-self-enrolment-ui` service from this stack is running for the login and self-service pages
+   to be available.
 
 |                  | Development | Production |
 |------------------|-------------|------------|
@@ -133,11 +149,16 @@ for other options on overriding the default configuration.
 | `MANAGEMENTPORTAL_OAUTH_ENABLE_PUBLIC_KEY_VERIFIERS`        | `false`                                             | Whether to use additional verifiers using public-keys and deprecated verifier implementation. If you set this to `true`, also set `RADAR_IS_CONFIG_LOCATION` and provide yaml file with public keys. Read more at radar-auth documentation. |
 | `MANAGEMENTPORTAL_CATALOGUE_SERVER_ENABLE_AUTO_IMPORT`      | `false`                                             | Whether to enable or disable auto import of sources from the catalogue server                                                                                                                                                               |
 | `MANAGEMENTPORTAL_CATALOGUE_SERVER_SERVER_URL`              | None                                                | URL to the catalogue server                                                                                                                                                                                                                 |
-| `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL`                 | None                                                | URL to the identity server.                                                                                                                                                                                                                 |
-| `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL`            | None                                                | Admin URL to the identity server.                                                                                                                                                                                                           |
+| `MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL`                  | `true`                                              | Whether to use ManagementPortal’s internal identity management (`true`) or an external identity server such as Ory Kratos (`false`).                                                                                                       |
+| `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL`                 | None                                                | URL to the identity server. When using Ory Kratos externally, set this to the Kratos public URL as seen from ManagementPortal (for example `http://kratos:4433` when using Docker).                                                        |
+| `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL`            | None                                                | Admin URL to the identity server. When using Ory Kratos externally, set this to the Kratos admin URL as seen from ManagementPortal (for example `http://kratos:4434`).                                                                     |
 | `MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL`                | None                                                | Email-address to be linked to the admin account.                                                                                                                                                                                            |
-| `MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_FLOW_TYPE` | `verification`                                      | Kratos self-service flow used to send activation emails. Allowed: `verification` or `recovery`.                                                                                                                                             |
-| `MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_METHOD`    | `code`                                              | Kratos method used in the activation flow request payload. Allowed: `code` or `link` (depending on flow and Kratos configuration).                                                                                                          |
+| `MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_FLOW_TYPE` | `verification`                                      | Kratos self-service flow used to send activation emails. Allowed: `verification` or `recovery`.                                                                                                                                            |
+| `MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_METHOD`    | `code`                                              | Kratos method used in the activation flow request payload. Allowed: `code` or `link` (depending on flow and Kratos configuration).                                                                                                         |
+| `MANAGEMENTPORTAL_AUTHSERVER_INTERNAL`                      | `true`                                              | Whether to use ManagementPortal’s internal OAuth2 authorization server (`true`) or an external server such as Ory Hydra (`false`).                                                                                                         |
+| `MANAGEMENTPORTAL_AUTHSERVER_SERVERURL`                     | None                                                | Base URL of the external auth server’s public endpoints, used for the token endpoint. When using Ory Hydra in Docker, this is typically `http://hydra:4444`.                                                                               |
+| `MANAGEMENTPORTAL_AUTHSERVER_LOGINURL`                      | None                                                | Base URL of the external auth server as seen from the browser, used to construct the `/oauth2/auth` redirect URL (for example `http://localhost:4444` for Hydra’s public endpoint).                                                        |
+| `MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL`                | None                                                | Admin URL of the external auth server (for example `http://hydra:4445` for the Hydra admin API), used for managing OAuth clients.                                                                                                          |
 | `MANAGEMENTPORTAL_COMMON_BASE_URL`                          | None                                                | Resolvable baseUrl of the hosted platform                                                                                                                                                                                                   |
 | `MANAGEMENTPORTAL_COMMON_MANAGEMENT_PORTAL_BASE_URL`        | None                                                | Resolvable baseUrl of this managementportal  instance                                                                                                                                                                                       |
 | `MANAGEMENTPORTAL_COMMON_PRIVACY_POLICY_URL`                | None                                                | Resolvable URL to the common privacy policy url                                                                                                                                                                                             |
@@ -258,10 +279,33 @@ The code grant flow for OAuth2 clients can also be the following:
     ```
    Now the app can use the access token flow.
 
+### Identity and authentication configuration
+
+ManagementPortal can be run either with its **internal identity and auth server** or with **external Ory services**:
+
+- **Internal identity and auth server (legacy mode)**:
+  - Enabled by default when `MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL=true` and `MANAGEMENTPORTAL_AUTHSERVER_INTERNAL=true`
+    (or when these variables are not set).
+  - ManagementPortal handles user accounts and OAuth2 tokens itself; no external Kratos or Hydra stack is required.
+- **External Ory identity and auth (Kratos + Hydra)**:
+  - Set `MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL=false` and `MANAGEMENTPORTAL_AUTHSERVER_INTERNAL=false`.
+  - Configure the external identity server (typically Ory Kratos):
+    - `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL` (e.g. `http://kratos:4433`)
+    - `MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL` (e.g. `http://kratos:4434`)
+    - `MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL`
+  - Configure the external auth server (typically Ory Hydra):
+    - `MANAGEMENTPORTAL_AUTHSERVER_SERVERURL` (e.g. `http://hydra:4444`, reachable from ManagementPortal)
+    - `MANAGEMENTPORTAL_AUTHSERVER_LOGINURL` (e.g. `http://localhost:4444`, reachable from the browser)
+    - `MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL` (e.g. `http://hydra:4445`)
+  - Start the Ory stack using `docker-compose -f src/main/docker/ory_stack.yml up -d` and ensure the
+    `radar-self-enrolment-ui` service is running. The ManagementPortal login flow redirects the user to Hydra, which in
+    turn uses the self-enrolment UI for login and consent screens.
+
 ### User management
 
-Organizational user management and authorization for the managementportal is performed
-by [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro). The flow for adding users to the portal is as follows:
+When `MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL=false`, organizational user management and authentication for the
+managementportal is performed by [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro). The flow for adding
+users to the portal is as follows:
 
 1. Navigate to the [User management view](http://127.0.0.1:8081/#/user-management) and create a user.
 2. The new user then [resets their password](http://127.0.0.1:3000/recovery) at the kratos self-service node using the
@@ -271,23 +315,22 @@ by [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro). The flow for a
 
 ```mermaid
 sequenceDiagram
-    participant kratosUi as Kratos self-service node
+    participant selfEnrolUi as Self-enrolment UI (Hydra/Kratos)
     actor user as User
     actor researcher as Admin
     participant managementPortal as ManagementPortal
     participant kratos as Kratos
 
-
     #== User Registration ==
     user -->> researcher: Request account (email required)
     researcher -->> managementPortal: Create user
     managementPortal -->> kratos: Create kratos identity
-    kratos -->> user: Send password reset email
-    user -->> kratosUi: Reset password
-    kratosUi -->> kratos: 
-    user -->> kratosUi: Activate 2-FA
-    kratosUi -->> kratos: 
-    user -->> managementPortal: Login (2-FA required)
+    kratos -->> user: Send activation / recovery email
+    user -->> selfEnrolUi: Set password
+    selfEnrolUi -->> kratos: Update identity
+    user -->> selfEnrolUi: Configure 2-FA
+    selfEnrolUi -->> kratos: Update identity
+    user -->> managementPortal: Login (2-FA enforced via Hydra)
 ```
 
 ### UI Customization
@@ -378,9 +421,6 @@ To optimize the ManagementPortal application for production, run:
 
     ./gradlew -Pprod clean bootWar
 
-### Hosting in production
-
-The latest Meta-QR code implementation requires REST resources on `api/meta-token/*` should definitely be rate-limited by upstream servers.
 
 ### Hosting in production
 
 
@@ -4,107 +4,44 @@ services:
     ## MP
 
     managementportal-app:
-        image: managementportal
-#        image: radarbase/management-portal
+        image: ghcr.io/radar-base/managementportal/management-portal:dev
         environment:
             - SPRING_PROFILES_ACTIVE=prod,api-docs
             - SPRING_DATASOURCE_URL=jdbc:postgresql://managementportal-postgresql:5432/managementportal
             - SPRING_DATASOURCE_USERNAME=radarbase
             - SPRING_DATASOURCE_PASSWORD=radarbase
-            - SPRING_LIQUIBASE_CONTEXTS=dev #includes testing_data, remove for production builds
+            - MANAGEMENTPORTAL_COMMON_ADMINPASSWORD=admin
             - MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET=secret
-            - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL=http://kratos
+            - MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL=false # IF using external identity like ORY Kratos
+            - MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL=admin-email-here@radar-base.net
+            - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL=http://kratos:4433
+            - MANAGEMENTPORTAL_IDENTITYSERVER_LOGINURL=http://localhost:3000
+            - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL=http://kratos:4434
+            - MANAGEMENTPORTAL_AUTHSERVER_INTERNAL=false # IF using external auth server like ORY Hydra
+            - MANAGEMENTPORTAL_AUTHSERVER_SERVERURL=http://hydra:4444
+            - MANAGEMENTPORTAL_AUTHSERVER_LOGINURL=http://localhost:4444
+            - MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL=http://hydra:4445
             - MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE=/mp-includes/config/oauth_client_details.csv
+            - MANAGEMENTPORTAL_CATALOGUESERVER_SERVERURL=http://catalogue-server:8080
             - JHIPSTER_SLEEP=10 # gives time for the database to boot before the application
             - JAVA_OPTS=-Xmx512m  # maximum heap size for the JVM running ManagementPortal, increase this as necessary
         ports:
             - "8080:8080"
         networks:
             - all-net
             - mp-net
+            - default
         volumes:
             - ./etc:/mp-includes
 
 
     managementportal-postgresql:
         extends:
-            file: postgresql.yml
+            file: postgres.yml
             service: managementportal-postgresql
         networks:
             - mp-net
 
-    ## ORY
-
-    # Kratos
-    kratos-selfservice-ui-node:
-        image:
-            oryd/kratos-selfservice-ui-node
-        environment:
-            - LOG_LEAK_SENSITIVE_VALUES=true
-            - KRATOS_PUBLIC_URL=http://kratos:4433
-            - KRATOS_ADMIN_URL=http://kratos:4434
-            - SECURITY_MODE=standalone
-            - KRATOS_BROWSER_URL=http://127.0.0.1:4433
-            - COOKIE_SECRET=unsafe_cookie_secret
-            - CSRF_COOKIE_NAME=radar
-            - CSRF_COOKIE_SECRET=unsafe_csrf_cookie_secret
-        ports:
-            - "3000:3000"
-        networks:
-            - all-net
-        volumes:
-            - /tmp/ui-node/logs:/root/.npm/_logs
-
-    kratos:
-      depends_on:
-        - kratos-migrate
-      image: oryd/kratos:v1.0.0
-      ports:
-        - "4433:4433" # public
-        - "4434:4434" # admin, should be closed in production
-      restart: unless-stopped
-      environment:
-        - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
-      command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
-      volumes:
-        - type: bind
-          source: ./etc/config/kratos
-          target: /etc/config/kratos
-      networks:
-        - all-net
-        - kratos-net
-
-    kratos-migrate:
-        image:
-            oryd/kratos:v1.0.0
-        environment:
-            - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
-        volumes:
-            - type: bind
-              source: ./etc/config/kratos
-              target: /etc/config/kratos
-        command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
-        restart: on-failure
-        networks:
-            - kratos-net
-
-    postgresd-kratos:
-        image: postgres:11.8
-        environment:
-            - POSTGRES_USER=kratos
-            - POSTGRES_PASSWORD=secret
-            - POSTGRES_DB=kratos
-        networks:
-            - kratos-net
-
-    mailslurper:
-        image: oryd/mailslurper:latest-smtps
-        ports:
-            - "4436:4436"
-            - "4437:4437"
-        networks:
-            - kratos-net
-
 networks:
     all-net:
     mp-net:
 
@@ -9,14 +9,18 @@ services:
             - SPRING_DATASOURCE_URL=jdbc:postgresql://managementportal-postgresql:5432/managementportal
             - SPRING_DATASOURCE_USERNAME=radarbase
             - SPRING_DATASOURCE_PASSWORD=radarbase
+            - MANAGEMENTPORTAL_COMMON_ADMINPASSWORD=admin
             - MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET=secret
+            - MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL=false # IF using external identity like ORY Kratos
             - MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL=admin-email-here@radar-base.net
             - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL=http://kratos:4433
             - MANAGEMENTPORTAL_IDENTITYSERVER_LOGINURL=http://localhost:3000
             - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL=http://kratos:4434
+            - MANAGEMENTPORTAL_AUTHSERVER_INTERNAL=false # IF using external auth server like ORY Hydra
             - MANAGEMENTPORTAL_AUTHSERVER_SERVERURL=http://hydra:4444
             - MANAGEMENTPORTAL_AUTHSERVER_LOGINURL=http://localhost:4444
             - MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL=http://hydra:4445
+            - MANAGEMENTPORTAL_CATALOGUESERVER_SERVERURL=http://catalogue-server:8080
             - JHIPSTER_SLEEP=10 # gives time for the database to boot before the application
             - JAVA_OPTS=-Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 #enables remote debugging
         ports: