1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
%% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
sequenceDiagram
autonumber
actor User as Navigateur
participant Caddy as Caddy araucaria .50
participant VK as Vikunja :3456
participant VKDB as PostgreSQL 16 vikunja-db
participant KC as Keycloak npagnun .35
participant Google as Google OAuth 2.0
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://vk.arauco.online
Caddy ->>+ VK: HTTP :3456
VK -->>- Caddy: Page login Vikunja
Caddy -->>- User: Login form + bouton Se connecter avec Keycloak
User ->> User: Clic Se connecter avec Keycloak
User ->>+ Caddy: GET /auth/openid/keycloak
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Generer state (authurl kc.arauco.online/realms/chiruca)
VK -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=vikunja&scope=openid+profile+email
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak (formulaire + bouton Google)
User ->> KC: Clic Login with Google
KC ->>+ Google: Redirect OAuth2 accounts.google.com
User ->> Google: Authentification Gmail + consentement
Google -->>- KC: Code + ID Token (sub, email, name, picture)
KC ->> KC: Identity Brokering - First Broker Login si nouveau
KC ->> KC: Creer/lier compte chiruca
KC ->> KC: Attacher roles: vikunja admin|editor|viewer + realm roles
KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
KC -->> User: 302 + code -> vk.arauco.online/auth/openid/keycloak
User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Verifier state
VK ->>+ KC: POST /realms/chiruca/.../token {code, client_id=vikunja, client_secret}
KC -->>- VK: JWT access_token + ID token + refresh_token
VK ->> VK: Valider ID token (signature, iss, aud, exp)
VK ->> VK: Extraire claims: sub, email, preferred_username
alt Premier login OIDC
VK ->> VKDB: INSERT user (auto-creation depuis claims)
VKDB -->> VK: User cree
else Utilisateur existant
VK ->> VKDB: SELECT user WHERE issuer_id = sub
VKDB -->> VK: User existant
end
VK ->> VK: Generer JWT interne (VIKUNJA_SERVICE_JWTSECRET)
VK -->>- Caddy: 200 + Set-Cookie / JWT token
Caddy -->>- User: Session Vikunja active
Note over User, KC: AuthZ - Roles Keycloak -> Permissions Vikunja
Note over KC: /admins -> vk: admin (gestion complete)
Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
Note over KC: /consultants -> vk: viewer (lecture seule)
Note over User, VK: Acces API authentifie
User ->>+ Caddy: GET /api/v1/projects - Authorization: Bearer JWT
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
VK ->> VKDB: SELECT projects WHERE user has access
VKDB -->> VK: Projets autorises
VK -->>- Caddy: 200 JSON
Caddy -->>- User: Liste projets
Note over User, VK: Synchronisation CalDAV
User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/ - Authorization: Bearer JWT
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Auth CalDAV via JWT
VK ->> VKDB: Calendriers de l utilisateur
VKDB -->> VK: Listes + taches
VK -->>- Caddy: 207 Multi-Status XML
Caddy -->>- User: Donnees CalDAV (sync DAVx5 mobile)
Note over User, VK: Integration Home Assistant
participant HA as Home Assistant :8123
HA ->>+ VK: GET /api/v1/projects/ID/tasks - Bearer JWT_SERVICE
VK ->> VKDB: Taches du projet
VKDB -->> VK: Resultats
VK -->>- HA: JSON taches -> todo entities HA
|
