micro/iam/keycloak_iam.mmd


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 60, 'rankSpacing': 60, 'padding': 20}}}%%
flowchart LR

    subgraph client ["Cote Client"]
        direction TB
        user_b["Navigateur<br/>Utilisateur"]
        bearer["Token JWT<br/>dans le header"]
        user_b --> bearer
    end

    subgraph keycloak ["Keycloak - npagnun 192.168.99.35"]
        direction TB

        subgraph endpoints ["Endpoints"]
            direction LR
            http[":8080 HTTP"]
            https[":8443 HTTPS"]
            health[":9000 Health"]
        end

        subgraph config ["Configuration"]
            direction LR
            realms["Realms<br/>master + custom"]
            clients_kc["Clients OIDC<br/>portal, event-hub"]
            users["Users<br/>& Groups"]
            roles["Roles RBAC<br/>& Permissions"]
        end

        subgraph auth_flow ["Flux OIDC"]
            direction LR
            step1["1. /auth/realms/.../protocol/openid-connect/auth"]
            step2["2. Login form + consent"]
            step3["3. Callback avec code"]
            step4["4. Exchange code -> tokens"]
            step1 --> step2 --> step3 --> step4
        end
    end

    subgraph db ["Base de donnees"]
        postgres["PostgreSQL 15<br/>:5432 Docker interne<br/>DB: keycloak<br/>User: keycloak"]
    end

    subgraph applications ["Applications"]
        direction TB
        portal["Portal Korradi<br/>Next.js"]
        eventhub["Event Hub<br/>Fastify"]
        widget["Widget SDK"]
    end

    subgraph model ["Modele de donnees"]
        direction LR
        org["Organisation"] --> sp["Spaces"] --> ctx["Contexts"] --> wdg["Widgets"]
    end

    user_b -->|"Login request"| endpoints
    step4 -->|"access_token<br/>+ refresh_token"| user_b
    bearer -->|"Authorization: Bearer ..."| applications

    keycloak --> postgres

    portal -->|"Token verify"| keycloak
    eventhub -->|"Token verify"| keycloak
    widget -->|"Token verify"| keycloak

    roles -.->|"RBAC / ABAC"| model

    classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
    classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
    classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
    classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
    classDef modelStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
    classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0

    class user_b,bearer userStyle
    class http,https,health,realms,clients_kc,users,roles iamStyle
    class step1,step2,step3,step4 flowStyle
    class postgres storStyle
    class portal,eventhub,widget appStyle
    class org,sp,ctx,wdg modelStyle