From 5063ccc088f75f5f56cae32d8cf1987c69816200 Mon Sep 17 00:00:00 2001 From: ertopogo Date: Sat, 21 Feb 2026 20:49:01 +0100 Subject: Ajouter 4 schemas Chiruca : Caddy reverse proxy, auth OIDC, Home Assistant, Vikunja Co-authored-by: Cursor --- micro/iam/chiruca_auth.mmd | 99 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 micro/iam/chiruca_auth.mmd (limited to 'micro/iam') diff --git a/micro/iam/chiruca_auth.mmd b/micro/iam/chiruca_auth.mmd new file mode 100644 index 0000000..858a779 --- /dev/null +++ b/micro/iam/chiruca_auth.mmd @@ -0,0 +1,99 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%% +flowchart LR + subgraph user_side ["Cote Utilisateur"] + direction TB + user["Navigateur"] + jwt["Token JWT Keycloak
dans le header"] + user --> jwt + end + + subgraph google ["Google (IdP externe)"] + direction TB + goog_oauth["Google OAuth 2.0
accounts.google.com"] + goog_claims["Claims Google
sub, email, name
picture, email_verified"] + end + + subgraph keycloak ["Keycloak - npagnun .35
Realm: chiruca"] + direction TB + + subgraph endpoints ["Endpoints"] + direction LR + http_ep[":8080 HTTP"] + https_ep[":8443 HTTPS"] + health[":9000 Health"] + end + + subgraph idp_conf ["Identity Provider"] + google_idp["Google IdP
Identity Brokering
First Broker Login"] + end + + subgraph clients ["Clients OIDC"] + direction LR + c_vikunja["vikunja
redirect: vk.arauco.online
scope: openid email profile"] + c_ha["homeassistant
redirect: ha.arauco.online
/auth/oidc/callback"] + end + + subgraph roles_conf ["Roles"] + direction TB + realm_roles["Realm roles
admin | user
gestionnaire-taches"] + cr_vikunja["Client vikunja
admin | editor | viewer"] + cr_ha["Client homeassistant
admin | user"] + end + + subgraph groups_conf ["Groupes"] + direction TB + g_admins["/admins
realm: admin
vk: admin, ha: admin"] + g_terrain["/equipe-terrain
realm: user, gest-taches
vk: editor, ha: user"] + g_consult["/consultants
realm: user
vk: viewer, ha: user"] + end + + subgraph oidc_flow ["Flux OIDC"] + direction LR + step1["1. /authorize
client_id + scope"] + step2["2. Login Keycloak
-> Login with Google"] + step3["3. Google auth
+ consent"] + step4["4. Code -> Tokens
JWT avec roles locaux"] + step1 --> step2 --> step3 --> step4 + end + end + + subgraph db ["Base de donnees"] + pg["PostgreSQL 15
:5432 interne
DB: keycloak"] + end + + subgraph apps ["Applications Chiruca"] + direction TB + vikunja["Vikunja
vk.arauco.online"] + ha["Home Assistant
ha.arauco.online"] + end + + user -->|"Login request"| apps + apps -->|"Redirect OIDC"| endpoints + step2 -->|"Redirect OAuth2"| goog_oauth + goog_oauth -->|"Code + ID Token"| google_idp + step4 -->|"JWT access_token
+ refresh_token"| user + jwt -->|"Authorization: Bearer"| apps + + keycloak --> pg + + vikunja -->|"Token verify"| keycloak + ha -->|"Token verify"| keycloak + + groups_conf -.->|"Heritage roles"| roles_conf + + classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0 + classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8 + classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8 + classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0 + classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8 + classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0 + classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0 + + class user,jwt userStyle + class goog_oauth,goog_claims extStyle + class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle + class realm_roles,cr_vikunja,cr_ha iamStyle + class step1,step2,step3,step4 flowStyle + class g_admins,g_terrain,g_consult groupStyle + class pg storStyle + class vikunja,ha appStyle -- cgit v1.2.3