1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering
sequenceDiagram
autonumber
actor User as Navigateur
participant Caddy as Caddy araucaria .50
participant HA as Home Assistant :8123
participant OIDC as hass-oidc-auth (HACS)
participant KC as Keycloak npagnun .35
participant Google as Google OAuth 2.0
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://ha.arauco.online
Caddy ->>+ HA: HTTP :8123 (WebSocket support, X-Real-IP)
HA -->>- Caddy: Page login Home Assistant
Caddy -->>- User: Login form + bouton SSO OpenID Connect
User ->> User: Clic Login with OpenID Connect
User ->>+ Caddy: GET /auth/oidc/redirect
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Generer state + nonce (discovery_url kc.arauco.online)
OIDC -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=homeassistant&scope=openid+email+profile
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak (formulaire + bouton Google)
User ->> KC: Clic Login with Google
KC ->>+ Google: Redirect OAuth2 accounts.google.com
User ->> Google: Authentification Gmail + consentement
Google -->>- KC: Code + ID Token (sub, email, name, picture)
KC ->> KC: Identity Brokering - First Broker Login si nouveau
KC ->> KC: Creer/lier compte chiruca
KC ->> KC: Attacher roles: homeassistant admin|user + realm roles
KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
KC -->> User: 302 + code -> ha.arauco.online/auth/oidc/callback
User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Verifier state
OIDC ->>+ KC: POST /realms/chiruca/.../token {code, client_id=homeassistant, client_secret}
KC -->>- OIDC: JWT access_token + ID token + refresh_token
OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
OIDC ->> OIDC: Extraire claims: sub, email, name
alt Premier login OIDC
OIDC ->> HA: Creer utilisateur HA + entite person
else Utilisateur existant
OIDC ->> HA: Retrouver utilisateur lie
end
OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
Caddy -->>- User: Page welcome (code unique valide 5 min)
User ->>+ Caddy: POST /auth/oidc/welcome {code: UNIQUE_CODE}
Caddy ->>+ HA: HTTP :8123
HA ->> HA: Verifier code unique (< 5 min)
HA ->> HA: Creer session HA longue duree
HA -->>- Caddy: 200 + Set-Cookie ha_session
Caddy -->>- User: Session HA active
Note over User, KC: AuthZ - Roles Keycloak -> Permissions HA
Note over KC: /admins -> ha: admin (config complete)
Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
Note over KC: /consultants -> ha: user (lecture seule)
Note over User, HA: Connexion WebSocket temps reel
User ->>+ Caddy: WSS ha.arauco.online/api/websocket
Note right of Caddy: read_timeout 0 (connexion permanente)
Caddy ->>+ HA: WS :8123
HA -->>- Caddy: Events temps reel
Caddy -->>- User: MAJ dashboard live
|
