From c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 Mon Sep 17 00:00:00 2001
From: ertopogo <erwin.t.pombett@gmail.com>
Date: Sun, 22 Feb 2026 19:51:17 +0100
Subject: Application:ajout des flux de sequence

---
 micro/flux/vk_auth_seq.mmd | 118 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 micro/flux/vk_auth_seq.mmd

(limited to 'micro/flux/vk_auth_seq.mmd')
diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd
new file mode 100644
index 0000000..d16c485
--- /dev/null
+++ b/micro/flux/vk_auth_seq.mmd
@@ -0,0 +1,118 @@
+%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
+%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+    autonumber
+
+    box rgb(30, 58, 95) Cote Utilisateur
+        actor User as Navigateur
+    end
+
+    box rgb(30, 58, 95) Caddy araucaria .50
+        participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
+    end
+
+    box rgb(30, 74, 46) huitral .22 - Docker Compose
+        participant VK as Vikunja<br/>:3456
+        participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
+    end
+
+    box rgb(74, 30, 58) npagnun .35
+        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+    end
+
+    box rgb(42, 58, 74) Google
+        participant Google as Google OAuth 2.0<br/>accounts.google.com
+    end
+
+    Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
+
+    User ->>+ Caddy: GET https://vk.arauco.online
+    Caddy ->>+ VK: HTTP :3456
+    VK -->>- Caddy: Page login Vikunja
+    Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"
+
+    User ->> User: Clic "Se connecter avec Keycloak"
+
+    User ->>+ Caddy: GET /auth/openid/keycloak
+    Caddy ->>+ VK: HTTP :3456
+    VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
+    VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
+    Caddy -->>- User: Redirect vers Keycloak
+
+    User ->>+ KC: GET /realms/chiruca/.../auth
+    KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+
+    User ->> KC: Clic "Login with Google"
+
+    KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
+    User ->> Google: Authentification Gmail<br/>+ consentement scopes
+    Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+
+    KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
+    KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe
+
+    KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak
+
+    User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
+    Caddy ->>+ VK: HTTP :3456
+    VK ->> VK: Verifier state
+
+    VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
+    KC -->>- VK: JWT access_token + ID token + refresh_token
+
+    VK ->> VK: Valider ID token (signature, iss, aud, exp)
+    VK ->> VK: Extraire claims: sub, email, preferred_username
+
+    alt Premier login OIDC
+        VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
+        VKDB -->> VK: User cree
+        Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
+    else Utilisateur existant
+        VK ->> VKDB: SELECT user WHERE issuer_id = sub
+        VKDB -->> VK: User existant
+    end
+
+    VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
+    VK -->>- Caddy: 200 + Set-Cookie / JWT token
+    Caddy -->>- User: Session Vikunja active
+
+    Note over User, Google: AuthZ - Roles Keycloak dans JWT claims
+
+    rect rgb(74, 58, 30)
+        Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
+        Note over KC: /admins -> vk: admin (gestion complete)
+        Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
+        Note over KC: /consultants -> vk: viewer (lecture seule)
+    end
+
+    Note over User, VK: Acces API authentifie
+
+    User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
+    Caddy ->>+ VK: HTTP :3456
+    VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
+    VK ->> VKDB: SELECT projects WHERE user has access
+    VKDB -->> VK: Projets autorises
+    VK -->>- Caddy: 200 JSON
+    Caddy -->>- User: Liste projets
+
+    Note over User, VK: Synchronisation CalDAV / ICS
+
+    User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
+    Caddy ->>+ VK: HTTP :3456
+    VK ->> VK: Auth CalDAV via JWT
+    VK ->> VKDB: Calendriers de l'utilisateur
+    VKDB -->> VK: Listes + taches
+    VK -->>- Caddy: 207 Multi-Status XML
+    Caddy -->>- User: Donnees CalDAV
+
+    Note over User, VK: Integration Home Assistant
+
+    participant HA as Home Assistant<br/>ha.arauco.online
+
+    HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
+    VK ->> VK: Auth API token
+    VK ->> VKDB: Taches du projet
+    VKDB -->> VK: Resultats
+    VK -->>- HA: JSON taches -> todo entities HA
-- 
cgit v1.2.3

