diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:51:17 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:51:17 +0100 |
| commit | c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 (patch) | |
| tree | abf9c716e9f47a2bf77098cfaacf21fad961ee14 /micro/flux/vk_auth_seq.mmd | |
| parent | 4e0d25b944fd9632e2555c4f6ae01b4728262dfb (diff) | |
Application:ajout des flux de sequence
Diffstat (limited to 'micro/flux/vk_auth_seq.mmd')
| -rw-r--r-- | micro/flux/vk_auth_seq.mmd | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd new file mode 100644 index 0000000..d16c485 --- /dev/null +++ b/micro/flux/vk_auth_seq.mmd @@ -0,0 +1,118 @@ +%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
+%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+ autonumber
+
+ box rgb(30, 58, 95) Cote Utilisateur
+ actor User as Navigateur
+ end
+
+ box rgb(30, 58, 95) Caddy araucaria .50
+ participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
+ end
+
+ box rgb(30, 74, 46) huitral .22 - Docker Compose
+ participant VK as Vikunja<br/>:3456
+ participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
+ end
+
+ box rgb(74, 30, 58) npagnun .35
+ participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+ end
+
+ box rgb(42, 58, 74) Google
+ participant Google as Google OAuth 2.0<br/>accounts.google.com
+ end
+
+ Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
+
+ User ->>+ Caddy: GET https://vk.arauco.online
+ Caddy ->>+ VK: HTTP :3456
+ VK -->>- Caddy: Page login Vikunja
+ Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"
+
+ User ->> User: Clic "Se connecter avec Keycloak"
+
+ User ->>+ Caddy: GET /auth/openid/keycloak
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
+ VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
+ Caddy -->>- User: Redirect vers Keycloak
+
+ User ->>+ KC: GET /realms/chiruca/.../auth
+ KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+
+ User ->> KC: Clic "Login with Google"
+
+ KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
+ User ->> Google: Authentification Gmail<br/>+ consentement scopes
+ Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+
+ KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
+ KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe
+
+ KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak
+
+ User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Verifier state
+
+ VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
+ KC -->>- VK: JWT access_token + ID token + refresh_token
+
+ VK ->> VK: Valider ID token (signature, iss, aud, exp)
+ VK ->> VK: Extraire claims: sub, email, preferred_username
+
+ alt Premier login OIDC
+ VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
+ VKDB -->> VK: User cree
+ Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
+ else Utilisateur existant
+ VK ->> VKDB: SELECT user WHERE issuer_id = sub
+ VKDB -->> VK: User existant
+ end
+
+ VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
+ VK -->>- Caddy: 200 + Set-Cookie / JWT token
+ Caddy -->>- User: Session Vikunja active
+
+ Note over User, Google: AuthZ - Roles Keycloak dans JWT claims
+
+ rect rgb(74, 58, 30)
+ Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
+ Note over KC: /admins -> vk: admin (gestion complete)
+ Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
+ Note over KC: /consultants -> vk: viewer (lecture seule)
+ end
+
+ Note over User, VK: Acces API authentifie
+
+ User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
+ VK ->> VKDB: SELECT projects WHERE user has access
+ VKDB -->> VK: Projets autorises
+ VK -->>- Caddy: 200 JSON
+ Caddy -->>- User: Liste projets
+
+ Note over User, VK: Synchronisation CalDAV / ICS
+
+ User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Auth CalDAV via JWT
+ VK ->> VKDB: Calendriers de l'utilisateur
+ VKDB -->> VK: Listes + taches
+ VK -->>- Caddy: 207 Multi-Status XML
+ Caddy -->>- User: Donnees CalDAV
+
+ Note over User, VK: Integration Home Assistant
+
+ participant HA as Home Assistant<br/>ha.arauco.online
+
+ HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
+ VK ->> VK: Auth API token
+ VK ->> VKDB: Taches du projet
+ VKDB -->> VK: Resultats
+ VK -->>- HA: JSON taches -> todo entities HA
|