%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering
sequenceDiagram
    autonumber

    actor User as Navigateur

    participant Caddy as Caddy araucaria .50
    participant HA as Home Assistant :8123
    participant OIDC as hass-oidc-auth (HACS)
    participant KC as Keycloak npagnun .35
    participant Google as Google OAuth 2.0

    Note over User, Google: Flux AuthN - OIDC Authorization Code Flow

    User ->>+ Caddy: GET https://ha.arauco.online
    Caddy ->>+ HA: HTTP :8123 (WebSocket support, X-Real-IP)
    HA -->>- Caddy: Page login Home Assistant
    Caddy -->>- User: Login form + bouton SSO OpenID Connect

    User ->> User: Clic Login with OpenID Connect

    User ->>+ Caddy: GET /auth/oidc/redirect
    Caddy ->>+ OIDC: HTTP :8123
    OIDC ->> OIDC: Generer state + nonce (discovery_url kc.arauco.online)
    OIDC -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=homeassistant&scope=openid+email+profile
    Caddy -->>- User: Redirect vers Keycloak

    User ->>+ KC: GET /realms/chiruca/.../auth
    KC -->>- User: Page login Keycloak (formulaire + bouton Google)

    User ->> KC: Clic Login with Google

    KC ->>+ Google: Redirect OAuth2 accounts.google.com
    User ->> Google: Authentification Gmail + consentement
    Google -->>- KC: Code + ID Token (sub, email, name, picture)

    KC ->> KC: Identity Brokering - First Broker Login si nouveau
    KC ->> KC: Creer/lier compte chiruca
    KC ->> KC: Attacher roles: homeassistant admin|user + realm roles
    KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants

    KC -->> User: 302 + code -> ha.arauco.online/auth/oidc/callback

    User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
    Caddy ->>+ OIDC: HTTP :8123
    OIDC ->> OIDC: Verifier state

    OIDC ->>+ KC: POST /realms/chiruca/.../token {code, client_id=homeassistant, client_secret}
    KC -->>- OIDC: JWT access_token + ID token + refresh_token

    OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
    OIDC ->> OIDC: Extraire claims: sub, email, name

    alt Premier login OIDC
        OIDC ->> HA: Creer utilisateur HA + entite person
    else Utilisateur existant
        OIDC ->> HA: Retrouver utilisateur lie
    end

    OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
    Caddy -->>- User: Page welcome (code unique valide 5 min)

    User ->>+ Caddy: POST /auth/oidc/welcome {code: UNIQUE_CODE}
    Caddy ->>+ HA: HTTP :8123
    HA ->> HA: Verifier code unique (< 5 min)
    HA ->> HA: Creer session HA longue duree
    HA -->>- Caddy: 200 + Set-Cookie ha_session
    Caddy -->>- User: Session HA active

    Note over User, KC: AuthZ - Roles Keycloak -> Permissions HA

    Note over KC: /admins -> ha: admin (config complete)
    Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
    Note over KC: /consultants -> ha: user (lecture seule)

    Note over User, HA: Connexion WebSocket temps reel

    User ->>+ Caddy: WSS ha.arauco.online/api/websocket
    Note right of Caddy: read_timeout 0 (connexion permanente)
    Caddy ->>+ HA: WS :8123
    HA -->>- Caddy: Events temps reel
    Caddy -->>- User: MAJ dashboard live