%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
box rgb(30, 58, 95) Cote Utilisateur
actor User as Navigateur
end
box rgb(30, 58, 95) Caddy araucaria .50
participant Caddy as Caddy
ha.arauco.online
TLS + WebSocket
end
box rgb(30, 74, 74) huitral .22 - network_mode: host
participant HA as Home Assistant
:8123
participant OIDC as hass-oidc-auth
(HACS component)
end
box rgb(74, 30, 58) npagnun .35
participant KC as Keycloak
kc.arauco.online
Realm chiruca
end
box rgb(42, 58, 74) Google
participant Google as Google OAuth 2.0
accounts.google.com
end
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://ha.arauco.online
Caddy ->>+ HA: HTTP :8123
X-Real-IP, WebSocket support
HA -->>- Caddy: Page login Home Assistant
Caddy -->>- User: Login form + bouton SSO
User ->> User: Clic "Login with OpenID Connect"
User ->>+ Caddy: GET /auth/oidc/redirect
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Generer state + nonce
discovery_url: kc.arauco.online
/realms/chiruca/.well-known/
openid-configuration
OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca
/protocol/openid-connect/auth
?client_id=homeassistant
&redirect_uri=ha.arauco.online/auth/oidc/callback
&scope=openid+email+profile
&response_type=code
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
(formulaire + bouton Google)
User ->> KC: Clic "Login with Google"
KC ->>+ Google: Redirect OAuth2
accounts.google.com/o/oauth2/auth
User ->> Google: Authentification Gmail
+ consentement scopes
Google -->>- KC: Code + ID Token
(sub, email, name, picture)
KC ->> KC: Identity Brokering
First Broker Login si nouveau
Creer/lier compte chiruca
KC ->> KC: Attacher roles:
Client homeassistant: admin | user
Realm: admin | user | gest-taches
Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
KC -->> User: 302 + code authorization
-> ha.arauco.online/auth/oidc/callback
User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Verifier state
OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token
{grant_type: authorization_code,
code: xxx, client_id: homeassistant,
client_secret: ****}
KC -->>- OIDC: JWT access_token + ID token + refresh_token
OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
OIDC ->> OIDC: Extraire claims: sub, email, name
alt Premier login OIDC
OIDC ->> HA: Creer utilisateur HA
+ entite person
else Utilisateur existant
OIDC ->> HA: Retrouver utilisateur lie
end
Note over OIDC, HA: Code unique genere
valide 5 minutes
OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
Caddy -->>- User: Page welcome
User ->>+ Caddy: POST /auth/oidc/welcome
{code: UNIQUE_CODE}
Caddy ->>+ HA: HTTP :8123
HA ->> HA: Verifier code unique (< 5 min)
HA ->> HA: Creer session HA longue duree
HA -->>- Caddy: 200 + Set-Cookie: ha_session
Caddy -->>- User: Session HA active
Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
rect rgb(74, 58, 30)
Note over User, KC: Mapping groupes Keycloak -> acces HA
Note over KC: /admins -> ha: admin (config complete)
Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
Note over KC: /consultants -> ha: user (lecture seule)
end
Note over User, HA: Connexion WebSocket pour temps reel
User ->>+ Caddy: WSS ha.arauco.online/api/websocket
Note right of Caddy: read_timeout 0
(connexion permanente)
Caddy ->>+ HA: WS :8123
HA -->>- Caddy: Events temps reel
Caddy -->>- User: MAJ dashboard live