%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
flowchart LR
    subgraph user_side ["Cote Utilisateur"]
        direction TB
        user["Navigateur"]
        jwt["Token JWT Keycloak<br/>dans le header"]
        user --> jwt
    end

    subgraph google ["Google (IdP externe)"]
        direction TB
        goog_oauth["Google OAuth 2.0<br/>accounts.google.com"]
        goog_claims["Claims Google<br/>sub, email, name<br/>picture, email_verified"]
    end

    subgraph keycloak ["Keycloak - npagnun .35<br/>Realm: chiruca"]
        direction TB

        subgraph endpoints ["Endpoints"]
            direction LR
            http_ep[":8080 HTTP"]
            https_ep[":8443 HTTPS"]
            health[":9000 Health"]
        end

        subgraph idp_conf ["Identity Provider"]
            google_idp["Google IdP<br/>Identity Brokering<br/>First Broker Login"]
        end

        subgraph clients ["Clients OIDC"]
            direction LR
            c_vikunja["vikunja<br/>redirect: vk.arauco.online<br/>scope: openid email profile"]
            c_ha["homeassistant<br/>redirect: ha.arauco.online<br/>/auth/oidc/callback"]
        end

        subgraph roles_conf ["Roles"]
            direction TB
            realm_roles["Realm roles<br/>admin | user<br/>gestionnaire-taches"]
            cr_vikunja["Client vikunja<br/>admin | editor | viewer"]
            cr_ha["Client homeassistant<br/>admin | user"]
        end

        subgraph groups_conf ["Groupes"]
            direction TB
            g_admins["/admins<br/>realm: admin<br/>vk: admin, ha: admin"]
            g_terrain["/equipe-terrain<br/>realm: user, gest-taches<br/>vk: editor, ha: user"]
            g_consult["/consultants<br/>realm: user<br/>vk: viewer, ha: user"]
        end

        subgraph oidc_flow ["Flux OIDC"]
            direction LR
            step1["1. /authorize<br/>client_id + scope"]
            step2["2. Login Keycloak<br/>-> Login with Google"]
            step3["3. Google auth<br/>+ consent"]
            step4["4. Code -> Tokens<br/>JWT avec roles locaux"]
            step1 --> step2 --> step3 --> step4
        end
    end

    subgraph db ["Base de donnees"]
        pg["PostgreSQL 15<br/>:5432 interne<br/>DB: keycloak"]
    end

    subgraph apps ["Applications Chiruca"]
        direction TB
        vikunja["Vikunja<br/>vk.arauco.online"]
        ha["Home Assistant<br/>ha.arauco.online"]
    end

    user -->|"Login request"| apps
    apps -->|"Redirect OIDC"| endpoints
    step2 -->|"Redirect OAuth2"| goog_oauth
    goog_oauth -->|"Code + ID Token"| google_idp
    step4 -->|"JWT access_token<br/>+ refresh_token"| user
    jwt -->|"Authorization: Bearer"| apps

    keycloak --> pg

    vikunja -->|"Token verify"| keycloak
    ha -->|"Token verify"| keycloak

    groups_conf -.->|"Heritage roles"| roles_conf

    classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
    classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
    classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
    classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
    classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
    classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
    classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0

    class user,jwt userStyle
    class goog_oauth,goog_claims extStyle
    class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle
    class realm_roles,cr_vikunja,cr_ha iamStyle
    class step1,step2,step3,step4 flowStyle
    class g_admins,g_terrain,g_consult groupStyle
    class pg storStyle
    class vikunja,ha appStyle