%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
sequenceDiagram
    autonumber

    actor User as Navigateur

    participant Caddy as Caddy araucaria .50
    participant VK as Vikunja :3456
    participant VKDB as PostgreSQL 16 vikunja-db
    participant KC as Keycloak npagnun .35
    participant Google as Google OAuth 2.0

    Note over User, Google: Flux AuthN - OIDC Authorization Code Flow

    User ->>+ Caddy: GET https://vk.arauco.online
    Caddy ->>+ VK: HTTP :3456
    VK -->>- Caddy: Page login Vikunja
    Caddy -->>- User: Login form + bouton Se connecter avec Keycloak

    User ->> User: Clic Se connecter avec Keycloak

    User ->>+ Caddy: GET /auth/openid/keycloak
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Generer state (authurl kc.arauco.online/realms/chiruca)
    VK -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=vikunja&scope=openid+profile+email
    Caddy -->>- User: Redirect vers Keycloak

    User ->>+ KC: GET /realms/chiruca/.../auth
    KC -->>- User: Page login Keycloak (formulaire + bouton Google)

    User ->> KC: Clic Login with Google

    KC ->>+ Google: Redirect OAuth2 accounts.google.com
    User ->> Google: Authentification Gmail + consentement
    Google -->>- KC: Code + ID Token (sub, email, name, picture)

    KC ->> KC: Identity Brokering - First Broker Login si nouveau
    KC ->> KC: Creer/lier compte chiruca
    KC ->> KC: Attacher roles: vikunja admin|editor|viewer + realm roles
    KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants

    KC -->> User: 302 + code -> vk.arauco.online/auth/openid/keycloak

    User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Verifier state

    VK ->>+ KC: POST /realms/chiruca/.../token {code, client_id=vikunja, client_secret}
    KC -->>- VK: JWT access_token + ID token + refresh_token

    VK ->> VK: Valider ID token (signature, iss, aud, exp)
    VK ->> VK: Extraire claims: sub, email, preferred_username

    alt Premier login OIDC
        VK ->> VKDB: INSERT user (auto-creation depuis claims)
        VKDB -->> VK: User cree
    else Utilisateur existant
        VK ->> VKDB: SELECT user WHERE issuer_id = sub
        VKDB -->> VK: User existant
    end

    VK ->> VK: Generer JWT interne (VIKUNJA_SERVICE_JWTSECRET)
    VK -->>- Caddy: 200 + Set-Cookie / JWT token
    Caddy -->>- User: Session Vikunja active

    Note over User, KC: AuthZ - Roles Keycloak -> Permissions Vikunja

    Note over KC: /admins -> vk: admin (gestion complete)
    Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
    Note over KC: /consultants -> vk: viewer (lecture seule)

    Note over User, VK: Acces API authentifie

    User ->>+ Caddy: GET /api/v1/projects - Authorization: Bearer JWT
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
    VK ->> VKDB: SELECT projects WHERE user has access
    VKDB -->> VK: Projets autorises
    VK -->>- Caddy: 200 JSON
    Caddy -->>- User: Liste projets

    Note over User, VK: Synchronisation CalDAV

    User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/ - Authorization: Bearer JWT
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Auth CalDAV via JWT
    VK ->> VKDB: Calendriers de l utilisateur
    VKDB -->> VK: Listes + taches
    VK -->>- Caddy: 207 Multi-Status XML
    Caddy -->>- User: Donnees CalDAV (sync DAVx5 mobile)

    Note over User, VK: Integration Home Assistant

    participant HA as Home Assistant :8123

    HA ->>+ VK: GET /api/v1/projects/ID/tasks - Bearer JWT_SERVICE
    VK ->> VKDB: Taches du projet
    VKDB -->> VK: Resultats
    VK -->>- HA: JSON taches -> todo entities HA