From 27e9f08e863e9ca22c1244f3cb24150142571334 Mon Sep 17 00:00:00 2001 From: ertopogo Date: Sun, 22 Feb 2026 19:57:54 +0100 Subject: Application:correction de la visibilité des diagrames de séquence sous flux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- micro/flux/dt_auth_seq.mmd | 81 +++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 51 deletions(-) (limited to 'micro/flux/dt_auth_seq.mmd') diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd index 9747cf3..6946c27 100644 --- a/micro/flux/dt_auth_seq.mmd +++ b/micro/flux/dt_auth_seq.mmd @@ -1,61 +1,43 @@ %% Source projet : E:\Dev\Web-Works\Der-topogo %% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer) %% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca) -%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% sequenceDiagram autonumber - box rgb(30, 58, 95) Cote Utilisateur - actor User as Navigateur - end - - box rgb(30, 58, 95) Caddy araucaria .50 - participant Caddy as Caddy
dt.arauco.online
TLS + headers securite - end - - box rgb(30, 74, 46) huitral .22 - participant App as Next.js 16 + Payload v3
:3000 standalone - participant MW as Middleware Next.js
CSP headers - end + actor User as Navigateur - box rgb(74, 58, 30) PostgreSQL - participant PG as PostgreSQL
@payloadcms/db-postgres - end - - box rgb(74, 30, 58) npagnun .35 - participant KC as Keycloak
kc.arauco.online
Realm chiruca - participant Google as Google IdP - end + participant Caddy as Caddy araucaria .50 + participant App as Next.js + Payload CMS :3000 + participant PG as PostgreSQL + participant KC as Keycloak npagnun .35 + participant Google as Google IdP Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin) User ->>+ Caddy: GET https://dt.arauco.online/admin - Note right of Caddy: HSTS, X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin - Caddy ->>+ MW: HTTP :3000 - MW ->> MW: Ajouter CSP headers
(exclu pour /admin) - MW ->>+ App: /admin - App -->>- MW: Page login Payload - MW -->>- Caddy: HTML + Note right of Caddy: Headers: HSTS, X-Frame-Options DENY + Caddy ->>+ App: HTTP :3000 + App -->>- Caddy: Page login Payload Caddy -->>- User: Login form - User ->>+ Caddy: POST /admin/api/users/login
{email, password} + User ->>+ Caddy: POST /admin/api/users/login {email, password} Caddy ->>+ App: HTTP :3000 App ->> PG: SELECT user WHERE email = ? PG -->> App: User record + role App ->> App: Verify password (scrypt) App ->> App: Create session (PAYLOAD_SECRET) - App -->>- Caddy: 200 + Set-Cookie: payload-token + App -->>- Caddy: 200 + Set-Cookie payload-token Caddy -->>- User: Cookie session Payload Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux) - User ->>+ Caddy: GET /admin/api/articles
Cookie: payload-token=... + User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token Caddy ->>+ App: HTTP :3000 App ->> App: Verify session (PAYLOAD_SECRET) - App ->> App: Check role: admin | editor | viewer + App ->> App: Check role alt role = admin - App ->> PG: CRUD toutes collections + App ->> PG: CRUD toutes collections + gestion users else role = editor App ->> PG: Read + Write articles, upload media else role = viewer @@ -68,42 +50,39 @@ sequenceDiagram Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC - rect rgb(42, 42, 42) - Note over User, Google: --- PLANIFIE (non implemente) --- + rect rgb(60, 60, 60) + Note over User, Google: PLANIFIE - non encore implemente User ->>+ Caddy: GET https://dt.arauco.online/page-protegee - Caddy ->>+ MW: HTTP :3000 - MW ->> MW: CSP: connect-src kc.arauco.online - MW ->>+ App: Route groupe (auth) - App ->> App: Auth.js: session inexistante - App -->>- MW: Redirect /api/auth/signin - MW -->>- Caddy: 302 + Caddy ->>+ App: HTTP :3000 + App ->> App: Auth.js - session inexistante + App -->>- Caddy: 302 Redirect /api/auth/signin Caddy -->>- User: Redirect login User ->>+ Caddy: GET /api/auth/signin Caddy ->>+ App: HTTP :3000 App ->> App: Auth.js provider Keycloak - App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth
?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email + App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo Caddy -->>- User: Redirect vers Keycloak User ->>+ KC: GET /realms/chiruca/.../auth KC -->>- User: Page login Keycloak - User ->> KC: Clic "Login with Google" - KC ->>+ Google: Redirect OAuth2 Google + User ->> KC: Clic Login with Google + KC ->>+ Google: Redirect OAuth2 User ->> Google: Authentification Google - Google -->>- KC: Code + ID Token (sub, email, name) + Google -->>- KC: Code + ID Token - KC ->> KC: Identity Brokering
Creer/lier compte local
Attacher roles realm + client - KC -->> User: 302 + code authorization
-> dt.arauco.online/api/auth/callback/keycloak + KC ->> KC: Identity Brokering + attacher roles + KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx Caddy ->>+ App: HTTP :3000 - App ->>+ KC: POST /realms/chiruca/.../token
{code, client_secret} - KC -->>- App: JWT access_token + refresh_token
(avec roles dans claims) - App ->> App: Auth.js: creer session (AUTH_SECRET) - App -->>- Caddy: Set-Cookie: authjs.session-token + App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret} + KC -->>- App: JWT access_token + refresh_token + App ->> App: Auth.js creer session (AUTH_SECRET) + App -->>- Caddy: Set-Cookie authjs.session-token Caddy -->>- User: Session Auth.js active - Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims
Mappage roles KC -> autorisations pages (auth) + Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims end -- cgit v1.2.3