diff options
Diffstat (limited to 'micro/iam')
| -rw-r--r-- | micro/iam/chiruca_auth.mmd | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/micro/iam/chiruca_auth.mmd b/micro/iam/chiruca_auth.mmd new file mode 100644 index 0000000..858a779 --- /dev/null +++ b/micro/iam/chiruca_auth.mmd @@ -0,0 +1,99 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
+flowchart LR
+ subgraph user_side ["Cote Utilisateur"]
+ direction TB
+ user["Navigateur"]
+ jwt["Token JWT Keycloak<br/>dans le header"]
+ user --> jwt
+ end
+
+ subgraph google ["Google (IdP externe)"]
+ direction TB
+ goog_oauth["Google OAuth 2.0<br/>accounts.google.com"]
+ goog_claims["Claims Google<br/>sub, email, name<br/>picture, email_verified"]
+ end
+
+ subgraph keycloak ["Keycloak - npagnun .35<br/>Realm: chiruca"]
+ direction TB
+
+ subgraph endpoints ["Endpoints"]
+ direction LR
+ http_ep[":8080 HTTP"]
+ https_ep[":8443 HTTPS"]
+ health[":9000 Health"]
+ end
+
+ subgraph idp_conf ["Identity Provider"]
+ google_idp["Google IdP<br/>Identity Brokering<br/>First Broker Login"]
+ end
+
+ subgraph clients ["Clients OIDC"]
+ direction LR
+ c_vikunja["vikunja<br/>redirect: vk.arauco.online<br/>scope: openid email profile"]
+ c_ha["homeassistant<br/>redirect: ha.arauco.online<br/>/auth/oidc/callback"]
+ end
+
+ subgraph roles_conf ["Roles"]
+ direction TB
+ realm_roles["Realm roles<br/>admin | user<br/>gestionnaire-taches"]
+ cr_vikunja["Client vikunja<br/>admin | editor | viewer"]
+ cr_ha["Client homeassistant<br/>admin | user"]
+ end
+
+ subgraph groups_conf ["Groupes"]
+ direction TB
+ g_admins["/admins<br/>realm: admin<br/>vk: admin, ha: admin"]
+ g_terrain["/equipe-terrain<br/>realm: user, gest-taches<br/>vk: editor, ha: user"]
+ g_consult["/consultants<br/>realm: user<br/>vk: viewer, ha: user"]
+ end
+
+ subgraph oidc_flow ["Flux OIDC"]
+ direction LR
+ step1["1. /authorize<br/>client_id + scope"]
+ step2["2. Login Keycloak<br/>-> Login with Google"]
+ step3["3. Google auth<br/>+ consent"]
+ step4["4. Code -> Tokens<br/>JWT avec roles locaux"]
+ step1 --> step2 --> step3 --> step4
+ end
+ end
+
+ subgraph db ["Base de donnees"]
+ pg["PostgreSQL 15<br/>:5432 interne<br/>DB: keycloak"]
+ end
+
+ subgraph apps ["Applications Chiruca"]
+ direction TB
+ vikunja["Vikunja<br/>vk.arauco.online"]
+ ha["Home Assistant<br/>ha.arauco.online"]
+ end
+
+ user -->|"Login request"| apps
+ apps -->|"Redirect OIDC"| endpoints
+ step2 -->|"Redirect OAuth2"| goog_oauth
+ goog_oauth -->|"Code + ID Token"| google_idp
+ step4 -->|"JWT access_token<br/>+ refresh_token"| user
+ jwt -->|"Authorization: Bearer"| apps
+
+ keycloak --> pg
+
+ vikunja -->|"Token verify"| keycloak
+ ha -->|"Token verify"| keycloak
+
+ groups_conf -.->|"Heritage roles"| roles_conf
+
+ classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+ classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
+ classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+
+ class user,jwt userStyle
+ class goog_oauth,goog_claims extStyle
+ class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle
+ class realm_roles,cr_vikunja,cr_ha iamStyle
+ class step1,step2,step3,step4 flowStyle
+ class g_admins,g_terrain,g_consult groupStyle
+ class pg storStyle
+ class vikunja,ha appStyle
|