Identity & Access – Diagrams (Mermaid)

These diagrams visualise the SSO + RBAC model for institutional reviewers.

---

1. OIDC Login Flow (University SSO → CepatEdge)

sequenceDiagram
    autonumber
    actor U as User (Staff/HOD/Tech/Admin)
    participant SPA as CepatEdge SPA (Browser)
    participant IdP as University IdP (OIDC)
    participant API as CepatEdge API (Workers)
    participant DB as Neon (Users & Roles)

    U->>SPA: Click "Login with University SSO"
    SPA->>IdP: Redirect to /authorize (client_id, redirect_uri, scopes)
    U->>IdP: Authenticate (password, MFA, etc.)
    IdP-->>SPA: Redirect back with authorization code
    SPA->>API: POST /auth/oidc/callback (code)
    API->>IdP: Exchange code for ID token + access token
    IdP-->>API: ID token (userId, email, groups...) + access token
    API->>API: Verify token (signature, issuer, audience, exp)
    API->>API: Map IdP groups → CepatEdge role (employee/technician/HOD/admin)
    API->>DB: Upsert user + role mapping
    API->>API: Issue short-lived access token + refresh token
    API-->>SPA: Set HttpOnly cookies / return tokens
    SPA-->>U: Redirect to dashboard with authenticated session

---

2. IdP Groups → CepatEdge Roles

flowchart LR
    classDef idp fill:#1f77b4,stroke:#0b3a69,color:#ffffff
    classDef app fill:#2ca02c,stroke:#145214,color:#ffffff

    subgraph IdP_Groups[University IdP Groups]
      G1[MAINT-STAFF]:::idp
      G2[MAINT-TECHNICIAN]:::idp
      G3[MAINT-HOD]:::idp
      G4[MAINT-ADMIN]:::idp
    end

    subgraph AppRoles[CepatEdge Roles]
      R1[employee]:::app
      R2[technician]:::app
      R3[department_head]:::app
      R4[admin]:::app
    end

    G1 --> R1
    G2 --> R2
    G3 --> R3
    G4 --> R4

    note over AppRoles: Priority (if multiple groups):<br/>admin > department_head > technician > employee

---

3. Logout + Revocation Overview

sequenceDiagram
    autonumber
    actor U as User
    participant SPA as CepatEdge SPA
    participant API as CepatEdge API
    participant DB as Neon (Sessions/Revocation)
    participant IdP as University IdP

    U->>SPA: Click "Logout"
    SPA->>API: POST /auth/logout (current refresh token)
    API->>DB: Mark refresh token/session as revoked
    API-->>SPA: Clear cookies / success
    SPA-->>U: Show logged-out state

    rect rgb(255,245,230)
    note over API,DB: On next request, access token expiry +<br/>revocation checks ensure the user is fully logged out.
    end

    opt Single Logout (optional)
      API->>IdP: Front-/back-channel logout request
      IdP-->>U: Ends IdP session (user logged out from SSO)
    end