1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
flowchart LR
subgraph user_side ["Cote Utilisateur"]
direction TB
user["Navigateur"]
jwt["Token JWT Keycloak<br/>dans le header"]
user --> jwt
end
subgraph google ["Google (IdP externe)"]
direction TB
goog_oauth["Google OAuth 2.0<br/>accounts.google.com"]
goog_claims["Claims Google<br/>sub, email, name<br/>picture, email_verified"]
end
subgraph keycloak ["Keycloak - npagnun .35<br/>Realm: chiruca"]
direction TB
subgraph endpoints ["Endpoints"]
direction LR
http_ep[":8080 HTTP"]
https_ep[":8443 HTTPS"]
health[":9000 Health"]
end
subgraph idp_conf ["Identity Provider"]
google_idp["Google IdP<br/>Identity Brokering<br/>First Broker Login"]
end
subgraph clients ["Clients OIDC"]
direction LR
c_vikunja["vikunja<br/>redirect: vk.arauco.online<br/>scope: openid email profile"]
c_ha["homeassistant<br/>redirect: ha.arauco.online<br/>/auth/oidc/callback"]
end
subgraph roles_conf ["Roles"]
direction TB
realm_roles["Realm roles<br/>admin | user<br/>gestionnaire-taches"]
cr_vikunja["Client vikunja<br/>admin | editor | viewer"]
cr_ha["Client homeassistant<br/>admin | user"]
end
subgraph groups_conf ["Groupes"]
direction TB
g_admins["/admins<br/>realm: admin<br/>vk: admin, ha: admin"]
g_terrain["/equipe-terrain<br/>realm: user, gest-taches<br/>vk: editor, ha: user"]
g_consult["/consultants<br/>realm: user<br/>vk: viewer, ha: user"]
end
subgraph oidc_flow ["Flux OIDC"]
direction LR
step1["1. /authorize<br/>client_id + scope"]
step2["2. Login Keycloak<br/>-> Login with Google"]
step3["3. Google auth<br/>+ consent"]
step4["4. Code -> Tokens<br/>JWT avec roles locaux"]
step1 --> step2 --> step3 --> step4
end
end
subgraph db ["Base de donnees"]
pg["PostgreSQL 15<br/>:5432 interne<br/>DB: keycloak"]
end
subgraph apps ["Applications Chiruca"]
direction TB
vikunja["Vikunja<br/>vk.arauco.online"]
ha["Home Assistant<br/>ha.arauco.online"]
end
user -->|"Login request"| apps
apps -->|"Redirect OIDC"| endpoints
step2 -->|"Redirect OAuth2"| goog_oauth
goog_oauth -->|"Code + ID Token"| google_idp
step4 -->|"JWT access_token<br/>+ refresh_token"| user
jwt -->|"Authorization: Bearer"| apps
keycloak --> pg
vikunja -->|"Token verify"| keycloak
ha -->|"Token verify"| keycloak
groups_conf -.->|"Heritage roles"| roles_conf
classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
class user,jwt userStyle
class goog_oauth,goog_claims extStyle
class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle
class realm_roles,cr_vikunja,cr_ha iamStyle
class step1,step2,step3,step4 flowStyle
class g_admins,g_terrain,g_consult groupStyle
class pg storStyle
class vikunja,ha appStyle
|
