%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
    autonumber

    box rgb(30, 58, 95) Cote Utilisateur
        actor User as Navigateur
    end

    box rgb(30, 58, 95) Caddy araucaria .50
        participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
    end

    box rgb(30, 74, 46) huitral .22 - Docker Compose
        participant VK as Vikunja<br/>:3456
        participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
    end

    box rgb(74, 30, 58) npagnun .35
        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
    end

    box rgb(42, 58, 74) Google
        participant Google as Google OAuth 2.0<br/>accounts.google.com
    end

    Note over User, Google: Flux AuthN - OIDC Authorization Code Flow

    User ->>+ Caddy: GET https://vk.arauco.online
    Caddy ->>+ VK: HTTP :3456
    VK -->>- Caddy: Page login Vikunja
    Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"

    User ->> User: Clic "Se connecter avec Keycloak"

    User ->>+ Caddy: GET /auth/openid/keycloak
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
    VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
    Caddy -->>- User: Redirect vers Keycloak

    User ->>+ KC: GET /realms/chiruca/.../auth
    KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)

    User ->> KC: Clic "Login with Google"

    KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
    User ->> Google: Authentification Gmail<br/>+ consentement scopes
    Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)

    KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
    KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe

    KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak

    User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Verifier state

    VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
    KC -->>- VK: JWT access_token + ID token + refresh_token

    VK ->> VK: Valider ID token (signature, iss, aud, exp)
    VK ->> VK: Extraire claims: sub, email, preferred_username

    alt Premier login OIDC
        VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
        VKDB -->> VK: User cree
        Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
    else Utilisateur existant
        VK ->> VKDB: SELECT user WHERE issuer_id = sub
        VKDB -->> VK: User existant
    end

    VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
    VK -->>- Caddy: 200 + Set-Cookie / JWT token
    Caddy -->>- User: Session Vikunja active

    Note over User, Google: AuthZ - Roles Keycloak dans JWT claims

    rect rgb(74, 58, 30)
        Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
        Note over KC: /admins -> vk: admin (gestion complete)
        Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
        Note over KC: /consultants -> vk: viewer (lecture seule)
    end

    Note over User, VK: Acces API authentifie

    User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
    VK ->> VKDB: SELECT projects WHERE user has access
    VKDB -->> VK: Projets autorises
    VK -->>- Caddy: 200 JSON
    Caddy -->>- User: Liste projets

    Note over User, VK: Synchronisation CalDAV / ICS

    User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
    Caddy ->>+ VK: HTTP :3456
    VK ->> VK: Auth CalDAV via JWT
    VK ->> VKDB: Calendriers de l'utilisateur
    VKDB -->> VK: Listes + taches
    VK -->>- Caddy: 207 Multi-Status XML
    Caddy -->>- User: Donnees CalDAV

    Note over User, VK: Integration Home Assistant

    participant HA as Home Assistant<br/>ha.arauco.online

    HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
    VK ->> VK: Auth API token
    VK ->> VKDB: Taches du projet
    VKDB -->> VK: Resultats
    VK -->>- HA: JSON taches -> todo entities HA