1 files changed, 34 insertions, 51 deletions
diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd
index d16c485..2002124 100644
--- a/micro/flux/vk_auth_seq.mmd
+++ b/micro/flux/vk_auth_seq.mmd
@@ -1,95 +1,79 @@
 %% Source projet : E:\Dev\Chiruca
 %% Auth : OIDC Keycloak natif Vikunja, realm chiruca
 %% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
 sequenceDiagram
     autonumber
 
-    box rgb(30, 58, 95) Cote Utilisateur
-        actor User as Navigateur
-    end
+    actor User as Navigateur
 
-    box rgb(30, 58, 95) Caddy araucaria .50
-        participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
-    end
-
-    box rgb(30, 74, 46) huitral .22 - Docker Compose
-        participant VK as Vikunja<br/>:3456
-        participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
-    end
-
-    box rgb(74, 30, 58) npagnun .35
-        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
-    end
-
-    box rgb(42, 58, 74) Google
-        participant Google as Google OAuth 2.0<br/>accounts.google.com
-    end
+    participant Caddy as Caddy araucaria .50
+    participant VK as Vikunja :3456
+    participant VKDB as PostgreSQL 16 vikunja-db
+    participant KC as Keycloak npagnun .35
+    participant Google as Google OAuth 2.0
 
     Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
 
     User ->>+ Caddy: GET https://vk.arauco.online
     Caddy ->>+ VK: HTTP :3456
     VK -->>- Caddy: Page login Vikunja
-    Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"
+    Caddy -->>- User: Login form + bouton Se connecter avec Keycloak
 
-    User ->> User: Clic "Se connecter avec Keycloak"
+    User ->> User: Clic Se connecter avec Keycloak
 
     User ->>+ Caddy: GET /auth/openid/keycloak
     Caddy ->>+ VK: HTTP :3456
-    VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
-    VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
+    VK ->> VK: Generer state (authurl kc.arauco.online/realms/chiruca)
+    VK -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=vikunja&scope=openid+profile+email
     Caddy -->>- User: Redirect vers Keycloak
 
     User ->>+ KC: GET /realms/chiruca/.../auth
-    KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+    KC -->>- User: Page login Keycloak (formulaire + bouton Google)
 
-    User ->> KC: Clic "Login with Google"
+    User ->> KC: Clic Login with Google
 
-    KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
-    User ->> Google: Authentification Gmail<br/>+ consentement scopes
-    Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+    KC ->>+ Google: Redirect OAuth2 accounts.google.com
+    User ->> Google: Authentification Gmail + consentement
+    Google -->>- KC: Code + ID Token (sub, email, name, picture)
 
-    KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
-    KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe
+    KC ->> KC: Identity Brokering - First Broker Login si nouveau
+    KC ->> KC: Creer/lier compte chiruca
+    KC ->> KC: Attacher roles: vikunja admin|editor|viewer + realm roles
+    KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
 
-    KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak
+    KC -->> User: 302 + code -> vk.arauco.online/auth/openid/keycloak
 
     User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
     Caddy ->>+ VK: HTTP :3456
     VK ->> VK: Verifier state
 
-    VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
+    VK ->>+ KC: POST /realms/chiruca/.../token {code, client_id=vikunja, client_secret}
     KC -->>- VK: JWT access_token + ID token + refresh_token
 
     VK ->> VK: Valider ID token (signature, iss, aud, exp)
     VK ->> VK: Extraire claims: sub, email, preferred_username
 
     alt Premier login OIDC
-        VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
+        VK ->> VKDB: INSERT user (auto-creation depuis claims)
         VKDB -->> VK: User cree
-        Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
     else Utilisateur existant
         VK ->> VKDB: SELECT user WHERE issuer_id = sub
         VKDB -->> VK: User existant
     end
 
-    VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
+    VK ->> VK: Generer JWT interne (VIKUNJA_SERVICE_JWTSECRET)
     VK -->>- Caddy: 200 + Set-Cookie / JWT token
     Caddy -->>- User: Session Vikunja active
 
-    Note over User, Google: AuthZ - Roles Keycloak dans JWT claims
+    Note over User, KC: AuthZ - Roles Keycloak -> Permissions Vikunja
 
-    rect rgb(74, 58, 30)
-        Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
-        Note over KC: /admins -> vk: admin (gestion complete)
-        Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
-        Note over KC: /consultants -> vk: viewer (lecture seule)
-    end
+    Note over KC: /admins -> vk: admin (gestion complete)
+    Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
+    Note over KC: /consultants -> vk: viewer (lecture seule)
 
     Note over User, VK: Acces API authentifie
 
-    User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
+    User ->>+ Caddy: GET /api/v1/projects - Authorization: Bearer JWT
     Caddy ->>+ VK: HTTP :3456
     VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
     VK ->> VKDB: SELECT projects WHERE user has access
@@ -97,22 +81,21 @@ sequenceDiagram
     VK -->>- Caddy: 200 JSON
     Caddy -->>- User: Liste projets
 
-    Note over User, VK: Synchronisation CalDAV / ICS
+    Note over User, VK: Synchronisation CalDAV
 
-    User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
+    User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/ - Authorization: Bearer JWT
     Caddy ->>+ VK: HTTP :3456
     VK ->> VK: Auth CalDAV via JWT
-    VK ->> VKDB: Calendriers de l'utilisateur
+    VK ->> VKDB: Calendriers de l utilisateur
     VKDB -->> VK: Listes + taches
     VK -->>- Caddy: 207 Multi-Status XML
-    Caddy -->>- User: Donnees CalDAV
+    Caddy -->>- User: Donnees CalDAV (sync DAVx5 mobile)
 
     Note over User, VK: Integration Home Assistant
 
-    participant HA as Home Assistant<br/>ha.arauco.online
+    participant HA as Home Assistant :8123
 
-    HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
-    VK ->> VK: Auth API token
+    HA ->>+ VK: GET /api/v1/projects/ID/tasks - Bearer JWT_SERVICE
     VK ->> VKDB: Taches du projet
     VKDB -->> VK: Resultats
     VK -->>- HA: JSON taches -> todo entities HA