From c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 Mon Sep 17 00:00:00 2001
From: ertopogo <erwin.t.pombett@gmail.com>
Date: Sun, 22 Feb 2026 19:51:17 +0100
Subject: Application:ajout des flux de sequence

---
 micro/flux/ha_auth_seq.mmd | 101 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 micro/flux/ha_auth_seq.mmd

(limited to 'micro/flux/ha_auth_seq.mmd')

diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd
new file mode 100644
index 0000000..0e70c08
--- /dev/null
+++ b/micro/flux/ha_auth_seq.mmd
@@ -0,0 +1,101 @@
+%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
+%% Flux : Authorization Code Flow avec Google Identity Brokering
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+    autonumber
+
+    box rgb(30, 58, 95) Cote Utilisateur
+        actor User as Navigateur
+    end
+
+    box rgb(30, 58, 95) Caddy araucaria .50
+        participant Caddy as Caddy<br/>ha.arauco.online<br/>TLS + WebSocket
+    end
+
+    box rgb(30, 74, 74) huitral .22 - network_mode: host
+        participant HA as Home Assistant<br/>:8123
+        participant OIDC as hass-oidc-auth<br/>(HACS component)
+    end
+
+    box rgb(74, 30, 58) npagnun .35
+        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+    end
+
+    box rgb(42, 58, 74) Google
+        participant Google as Google OAuth 2.0<br/>accounts.google.com
+    end
+
+    Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
+
+    User ->>+ Caddy: GET https://ha.arauco.online
+    Caddy ->>+ HA: HTTP :8123<br/>X-Real-IP, WebSocket support
+    HA -->>- Caddy: Page login Home Assistant
+    Caddy -->>- User: Login form + bouton SSO
+
+    User ->> User: Clic "Login with OpenID Connect"
+
+    User ->>+ Caddy: GET /auth/oidc/redirect
+    Caddy ->>+ OIDC: HTTP :8123
+    OIDC ->> OIDC: Generer state + nonce<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration
+    OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=homeassistant<br/>&redirect_uri=ha.arauco.online/auth/oidc/callback<br/>&scope=openid+email+profile<br/>&response_type=code
+    Caddy -->>- User: Redirect vers Keycloak
+
+    User ->>+ KC: GET /realms/chiruca/.../auth
+    KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+
+    User ->> KC: Clic "Login with Google"
+
+    KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
+    User ->> Google: Authentification Gmail<br/>+ consentement scopes
+    Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+
+    KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
+    KC ->> KC: Attacher roles:<br/>Client homeassistant: admin | user<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
+
+    KC -->> User: 302 + code authorization<br/>-> ha.arauco.online/auth/oidc/callback
+
+    User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
+    Caddy ->>+ OIDC: HTTP :8123
+    OIDC ->> OIDC: Verifier state
+
+    OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: homeassistant,<br/>client_secret: ****}
+    KC -->>- OIDC: JWT access_token + ID token + refresh_token
+
+    OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
+    OIDC ->> OIDC: Extraire claims: sub, email, name
+
+    alt Premier login OIDC
+        OIDC ->> HA: Creer utilisateur HA<br/>+ entite person
+    else Utilisateur existant
+        OIDC ->> HA: Retrouver utilisateur lie
+    end
+
+    Note over OIDC, HA: Code unique genere<br/>valide 5 minutes
+
+    OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
+    Caddy -->>- User: Page welcome
+
+    User ->>+ Caddy: POST /auth/oidc/welcome<br/>{code: UNIQUE_CODE}
+    Caddy ->>+ HA: HTTP :8123
+    HA ->> HA: Verifier code unique (< 5 min)
+    HA ->> HA: Creer session HA longue duree
+    HA -->>- Caddy: 200 + Set-Cookie: ha_session
+    Caddy -->>- User: Session HA active
+
+    Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
+
+    rect rgb(74, 58, 30)
+        Note over User, KC: Mapping groupes Keycloak -> acces HA
+        Note over KC: /admins -> ha: admin (config complete)
+        Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
+        Note over KC: /consultants -> ha: user (lecture seule)
+    end
+
+    Note over User, HA: Connexion WebSocket pour temps reel
+
+    User ->>+ Caddy: WSS ha.arauco.online/api/websocket
+    Note right of Caddy: read_timeout 0<br/>(connexion permanente)
+    Caddy ->>+ HA: WS :8123
+    HA -->>- Caddy: Events temps reel
+    Caddy -->>- User: MAJ dashboard live
-- 
cgit v1.2.3