Application:correction de la visibilité des diagrames de séquence sous flux

author: ertopogo <erwin.t.pombett@gmail.com> 2026-02-22 19:57:54 +0100
committer: ertopogo <erwin.t.pombett@gmail.com> 2026-02-22 19:57:54 +0100
commit: 27e9f08e863e9ca22c1244f3cb24150142571334 (patch)
tree: 7e6cdeb4c2043cf17fc833a0c841303974c45f9e /micro/flux/ha_auth_seq.mmd
parent: c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 (diff)
1 files changed, 32 insertions, 49 deletions
diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd
index 0e70c08..51dd5ae 100644
--- a/micro/flux/ha_auth_seq.mmd
+++ b/micro/flux/ha_auth_seq.mmd
@@ -1,101 +1,84 @@
 %% Source projet : E:\Dev\Chiruca
 %% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
 %% Flux : Authorization Code Flow avec Google Identity Brokering
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
 sequenceDiagram
     autonumber
 
-    box rgb(30, 58, 95) Cote Utilisateur
-        actor User as Navigateur
-    end
-
-    box rgb(30, 58, 95) Caddy araucaria .50
-        participant Caddy as Caddy<br/>ha.arauco.online<br/>TLS + WebSocket
-    end
-
-    box rgb(30, 74, 74) huitral .22 - network_mode: host
-        participant HA as Home Assistant<br/>:8123
-        participant OIDC as hass-oidc-auth<br/>(HACS component)
-    end
+    actor User as Navigateur
 
-    box rgb(74, 30, 58) npagnun .35
-        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
-    end
-
-    box rgb(42, 58, 74) Google
-        participant Google as Google OAuth 2.0<br/>accounts.google.com
-    end
+    participant Caddy as Caddy araucaria .50
+    participant HA as Home Assistant :8123
+    participant OIDC as hass-oidc-auth (HACS)
+    participant KC as Keycloak npagnun .35
+    participant Google as Google OAuth 2.0
 
     Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
 
     User ->>+ Caddy: GET https://ha.arauco.online
-    Caddy ->>+ HA: HTTP :8123<br/>X-Real-IP, WebSocket support
+    Caddy ->>+ HA: HTTP :8123 (WebSocket support, X-Real-IP)
     HA -->>- Caddy: Page login Home Assistant
-    Caddy -->>- User: Login form + bouton SSO
+    Caddy -->>- User: Login form + bouton SSO OpenID Connect
 
-    User ->> User: Clic "Login with OpenID Connect"
+    User ->> User: Clic Login with OpenID Connect
 
     User ->>+ Caddy: GET /auth/oidc/redirect
     Caddy ->>+ OIDC: HTTP :8123
-    OIDC ->> OIDC: Generer state + nonce<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration
-    OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=homeassistant<br/>&redirect_uri=ha.arauco.online/auth/oidc/callback<br/>&scope=openid+email+profile<br/>&response_type=code
+    OIDC ->> OIDC: Generer state + nonce (discovery_url kc.arauco.online)
+    OIDC -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=homeassistant&scope=openid+email+profile
     Caddy -->>- User: Redirect vers Keycloak
 
     User ->>+ KC: GET /realms/chiruca/.../auth
-    KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+    KC -->>- User: Page login Keycloak (formulaire + bouton Google)
 
-    User ->> KC: Clic "Login with Google"
+    User ->> KC: Clic Login with Google
 
-    KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
-    User ->> Google: Authentification Gmail<br/>+ consentement scopes
-    Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+    KC ->>+ Google: Redirect OAuth2 accounts.google.com
+    User ->> Google: Authentification Gmail + consentement
+    Google -->>- KC: Code + ID Token (sub, email, name, picture)
 
-    KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
-    KC ->> KC: Attacher roles:<br/>Client homeassistant: admin | user<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
+    KC ->> KC: Identity Brokering - First Broker Login si nouveau
+    KC ->> KC: Creer/lier compte chiruca
+    KC ->> KC: Attacher roles: homeassistant admin|user + realm roles
+    KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
 
-    KC -->> User: 302 + code authorization<br/>-> ha.arauco.online/auth/oidc/callback
+    KC -->> User: 302 + code -> ha.arauco.online/auth/oidc/callback
 
     User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
     Caddy ->>+ OIDC: HTTP :8123
     OIDC ->> OIDC: Verifier state
 
-    OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: homeassistant,<br/>client_secret: ****}
+    OIDC ->>+ KC: POST /realms/chiruca/.../token {code, client_id=homeassistant, client_secret}
     KC -->>- OIDC: JWT access_token + ID token + refresh_token
 
     OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
     OIDC ->> OIDC: Extraire claims: sub, email, name
 
     alt Premier login OIDC
-        OIDC ->> HA: Creer utilisateur HA<br/>+ entite person
+        OIDC ->> HA: Creer utilisateur HA + entite person
     else Utilisateur existant
         OIDC ->> HA: Retrouver utilisateur lie
     end
 
-    Note over OIDC, HA: Code unique genere<br/>valide 5 minutes
-
     OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
-    Caddy -->>- User: Page welcome
+    Caddy -->>- User: Page welcome (code unique valide 5 min)
 
-    User ->>+ Caddy: POST /auth/oidc/welcome<br/>{code: UNIQUE_CODE}
+    User ->>+ Caddy: POST /auth/oidc/welcome {code: UNIQUE_CODE}
     Caddy ->>+ HA: HTTP :8123
     HA ->> HA: Verifier code unique (< 5 min)
     HA ->> HA: Creer session HA longue duree
-    HA -->>- Caddy: 200 + Set-Cookie: ha_session
+    HA -->>- Caddy: 200 + Set-Cookie ha_session
     Caddy -->>- User: Session HA active
 
-    Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
+    Note over User, KC: AuthZ - Roles Keycloak -> Permissions HA
 
-    rect rgb(74, 58, 30)
-        Note over User, KC: Mapping groupes Keycloak -> acces HA
-        Note over KC: /admins -> ha: admin (config complete)
-        Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
-        Note over KC: /consultants -> ha: user (lecture seule)
-    end
+    Note over KC: /admins -> ha: admin (config complete)
+    Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
+    Note over KC: /consultants -> ha: user (lecture seule)
 
-    Note over User, HA: Connexion WebSocket pour temps reel
+    Note over User, HA: Connexion WebSocket temps reel
 
     User ->>+ Caddy: WSS ha.arauco.online/api/websocket
-    Note right of Caddy: read_timeout 0<br/>(connexion permanente)
+    Note right of Caddy: read_timeout 0 (connexion permanente)
     Caddy ->>+ HA: WS :8123
     HA -->>- Caddy: Events temps reel
     Caddy -->>- User: MAJ dashboard live
author	ertopogo <erwin.t.pombett@gmail.com>	2026-02-22 19:57:54 +0100
committer	ertopogo <erwin.t.pombett@gmail.com>	2026-02-22 19:57:54 +0100
commit	27e9f08e863e9ca22c1244f3cb24150142571334 (patch)
tree	7e6cdeb4c2043cf17fc833a0c841303974c45f9e /micro/flux/ha_auth_seq.mmd
parent	c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 (diff)