diff --git a/docs/vi/architecture/iam-proposal.md b/docs/vi/architecture/iam-proposal.md index 5d8a6d0d..b1154201 100644 --- a/docs/vi/architecture/iam-proposal.md +++ b/docs/vi/architecture/iam-proposal.md @@ -5,14 +5,17 @@ Tài liệu này mô tả đề xuất kiến trúc cho IAM Service (Identity an ## Tổng Quan: Auth Service → IAM Service **IAM Service** cung cấp: -- **OAuth2/OpenID Connect** với OpenIddict +- **OAuth2/OpenID Connect** với Duende IdentityServer - **ASP.NET Core Identity** cho user management - **Role-Based Access Control (RBAC)** -- **JWT Tokens** (Access 15min, Refresh 7 days) -- **MFA Support** (TOTP) +- **JWT Tokens** (Access 15min, Refresh 7 days, RS256 signing) +- **2FA/MFA Support** (TOTP với QR Code và Recovery Codes) +- **Email Verification** (Xác thực email qua SMTP) +- **Social Login** (Google, Facebook OAuth) +- **Distributed Caching** (Redis với ICacheService) > [!NOTE] -> IAM Service đã được triển khai với .NET 10, Clean Architecture tại `services/iam-service-net/` +> IAM Service đã được triển khai với .NET 10, Clean Architecture, Duende IdentityServer tại `services/iam-service-net/` --- @@ -211,7 +214,30 @@ graph TD | `POST` | `/api/v1/auth/change-password` | Đổi mật khẩu | ✅ | | `POST` | `/api/v1/auth/logout` | Đăng xuất (revoke tokens) | ✅ | -### 4.2 User Management APIs +### 4.2 Email Verification APIs + +| Method | Endpoint | Mô tả | Auth | +|--------|----------|-------|------| +| `POST` | `/api/v1/auth/send-verification-email` | Gửi email xác thực | ✅ | +| `POST` | `/api/v1/auth/confirm-email` | Xác nhận email với token | ❌ | + +### 4.3 Xác Thực Hai Yếu Tố (2FA) APIs + +| Method | Endpoint | Mô tả | Auth | +|--------|----------|-------|------| +| `POST` | `/api/v1/auth/2fa/enable` | Bật 2FA (lấy QR code + recovery codes) | ✅ | +| `POST` | `/api/v1/auth/2fa/verify` | Xác minh mã TOTP & kích hoạt | ✅ | +| `POST` | `/api/v1/auth/2fa/disable` | Tắt 2FA | ✅ | + +### 4.4 Social Login APIs + +| Method | Endpoint | Mô tả | Auth | +|--------|----------|-------|------| +| `GET` | `/api/v1/auth/external-login/{provider}` | Bắt đầu OAuth flow (Google/Facebook) | ❌ | +| `GET` | `/api/v1/auth/external-callback` | Xử lý OAuth callback | ❌ | +| `GET` | `/api/v1/auth/linked-accounts` | Lấy danh sách providers đã liên kết | ✅ | + +### 4.5 User Management APIs | Method | Endpoint | Mô tả | Auth | |--------|----------|-------|------| @@ -221,7 +247,7 @@ graph TD | `PUT` | `/api/v1/users/{id}` | Cập nhật user | ✅ | | `DELETE` | `/api/v1/users/{id}` | Xóa user (soft delete) | ✅ | -### 4.3 Role Management APIs +### 4.6 Role Management APIs | Method | Endpoint | Mô tả | Auth | |--------|----------|-------|------| @@ -230,7 +256,10 @@ graph TD | `PUT` | `/api/v1/roles/{id}` | Cập nhật role | ✅ Admin | | `DELETE` | `/api/v1/roles/{id}` | Xóa role | ✅ Admin | -### 4.2 Access Management APIs +### 4.7 Access Management APIs (Planned) + +> [!NOTE] +> Các APIs dưới đây là tính năng **đang được lên kế hoạch**, chưa triển khai. ``` # Access Requests @@ -252,7 +281,10 @@ GET /api/v1/access/analytics/permissions GET /api/v1/access/analytics/risks ``` -### 4.3 Governance APIs +### 4.8 Governance APIs (Planned) + +> [!NOTE] +> Các APIs dưới đây là tính năng **đang được lên kế hoạch**, chưa triển khai. ``` # Compliance Reports @@ -281,31 +313,40 @@ GET /api/v1/governance/reports/security-events ## 5. Implementation Roadmap -### Phase 1: Foundation (Weeks 1-4) -- ✅ Migrate từ auth-service sang iam-service -- 🔄 Tổ chức lại modules theo IAM structure -- 🔄 Mở rộng database schema với identity models -- 🔄 Implement User Profile module +### Phase 1: Foundation ✅ (Completed) +- ✅ Migrate từ auth-service sang iam-service (.NET 10 + Duende IdentityServer) +- ✅ CQRS với MediatR Pattern +- ✅ User Registration, Login, Logout +- ✅ Password Management (change-password) +- ✅ User Management APIs (CRUD) +- ✅ Role Management APIs -### Phase 2: Identity Management (Weeks 5-8) +### Phase 1.5: Enhanced Security ✅ (Completed) +- ✅ Email Verification (send + confirm) +- ✅ 2FA/MFA với TOTP (QR Code, Recovery Codes) +- ✅ Social Login (Google, Facebook OAuth) +- ✅ Distributed Caching với Redis (ICacheService) +- ✅ Token Blacklisting cho logout + +### Phase 2: Identity Management (Planned) - 🔄 User lifecycle management -- 🔄 Identity verification (email, phone, document) +- 🔄 Identity verification (phone, document - KYC) - 🔄 Organization & Group management - 🔄 Profile management with extended attributes -### Phase 3: Access Management (Weeks 9-12) +### Phase 3: Access Management (Planned) - 🔄 Access request/approval workflows - 🔄 Access review & certification system - 🔄 Access analytics - 🔄 Privileged Access Management (PAM) -### Phase 4: Governance (Weeks 13-16) +### Phase 4: Governance (Planned) - 🔄 Compliance reporting engine - 🔄 Policy governance & versioning - 🔄 Risk scoring & management - 🔄 Reporting dashboards -### Phase 5: Advanced Features (Weeks 17-20) +### Phase 5: Advanced Features (Planned) - 🔄 Workflow engine - 🔄 Advanced analytics & ML-based insights - 🔄 Integration APIs (SCIM, LDAP sync)