1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
box rgb(30, 58, 95) Cote Utilisateur
actor User as Navigateur
end
box rgb(30, 58, 95) Caddy araucaria .50
participant Caddy as Caddy<br/>ha.arauco.online<br/>TLS + WebSocket
end
box rgb(30, 74, 74) huitral .22 - network_mode: host
participant HA as Home Assistant<br/>:8123
participant OIDC as hass-oidc-auth<br/>(HACS component)
end
box rgb(74, 30, 58) npagnun .35
participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
end
box rgb(42, 58, 74) Google
participant Google as Google OAuth 2.0<br/>accounts.google.com
end
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://ha.arauco.online
Caddy ->>+ HA: HTTP :8123<br/>X-Real-IP, WebSocket support
HA -->>- Caddy: Page login Home Assistant
Caddy -->>- User: Login form + bouton SSO
User ->> User: Clic "Login with OpenID Connect"
User ->>+ Caddy: GET /auth/oidc/redirect
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Generer state + nonce<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration
OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=homeassistant<br/>&redirect_uri=ha.arauco.online/auth/oidc/callback<br/>&scope=openid+email+profile<br/>&response_type=code
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
User ->> KC: Clic "Login with Google"
KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
User ->> Google: Authentification Gmail<br/>+ consentement scopes
Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
KC ->> KC: Attacher roles:<br/>Client homeassistant: admin | user<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
KC -->> User: 302 + code authorization<br/>-> ha.arauco.online/auth/oidc/callback
User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Verifier state
OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: homeassistant,<br/>client_secret: ****}
KC -->>- OIDC: JWT access_token + ID token + refresh_token
OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
OIDC ->> OIDC: Extraire claims: sub, email, name
alt Premier login OIDC
OIDC ->> HA: Creer utilisateur HA<br/>+ entite person
else Utilisateur existant
OIDC ->> HA: Retrouver utilisateur lie
end
Note over OIDC, HA: Code unique genere<br/>valide 5 minutes
OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
Caddy -->>- User: Page welcome
User ->>+ Caddy: POST /auth/oidc/welcome<br/>{code: UNIQUE_CODE}
Caddy ->>+ HA: HTTP :8123
HA ->> HA: Verifier code unique (< 5 min)
HA ->> HA: Creer session HA longue duree
HA -->>- Caddy: 200 + Set-Cookie: ha_session
Caddy -->>- User: Session HA active
Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
rect rgb(74, 58, 30)
Note over User, KC: Mapping groupes Keycloak -> acces HA
Note over KC: /admins -> ha: admin (config complete)
Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
Note over KC: /consultants -> ha: user (lecture seule)
end
Note over User, HA: Connexion WebSocket pour temps reel
User ->>+ Caddy: WSS ha.arauco.online/api/websocket
Note right of Caddy: read_timeout 0<br/>(connexion permanente)
Caddy ->>+ HA: WS :8123
HA -->>- Caddy: Events temps reel
Caddy -->>- User: MAJ dashboard live
|
