docs: Enhance IAM Service architecture documentation

- Updated the IAM Service proposal to reflect the transition from OpenIddict to Duende IdentityServer for OAuth2/OpenID Connect.
- Added new features including email verification, 2FA/MFA support, social login options, and distributed caching with Redis.
- Reorganized API sections for clarity, introducing dedicated sections for email verification, 2FA, and social login APIs.
- Revised implementation roadmap to indicate completed phases and planned future enhancements.

docs/vi/architecture/iam-proposal.md

@@ -5,14 +5,17 @@ Tài liệu này mô tả đề xuất kiến trúc cho IAM Service (Identity an
 ## Tổng Quan: Auth Service → IAM Service
 
 **IAM Service** cung cấp:
-- **OAuth2/OpenID Connect** với OpenIddict
+- **OAuth2/OpenID Connect** với Duende IdentityServer
 - **ASP.NET Core Identity** cho user management
 - **Role-Based Access Control (RBAC)**
-- **JWT Tokens** (Access 15min, Refresh 7 days)
-- **MFA Support** (TOTP)
+- **JWT Tokens** (Access 15min, Refresh 7 days, RS256 signing)
+- **2FA/MFA Support** (TOTP với QR Code và Recovery Codes)
+- **Email Verification** (Xác thực email qua SMTP)
+- **Social Login** (Google, Facebook OAuth)
+- **Distributed Caching** (Redis với ICacheService)
 
 > [!NOTE]
-> IAM Service đã được triển khai với .NET 10, Clean Architecture tại `services/iam-service-net/`
+> IAM Service đã được triển khai với .NET 10, Clean Architecture, Duende IdentityServer tại `services/iam-service-net/`
 
 ---
 
@@ -211,7 +214,30 @@ graph TD
 | `POST` | `/api/v1/auth/change-password` | Đổi mật khẩu | ✅ |
 | `POST` | `/api/v1/auth/logout` | Đăng xuất (revoke tokens) | ✅ |
 
-### 4.2 User Management APIs
+### 4.2 Email Verification APIs
+
+| Method | Endpoint | Mô tả | Auth |
+|--------|----------|-------|------|
+| `POST` | `/api/v1/auth/send-verification-email` | Gửi email xác thực | ✅ |
+| `POST` | `/api/v1/auth/confirm-email` | Xác nhận email với token | ❌ |
+
+### 4.3 Xác Thực Hai Yếu Tố (2FA) APIs
+
+| Method | Endpoint | Mô tả | Auth |
+|--------|----------|-------|------|
+| `POST` | `/api/v1/auth/2fa/enable` | Bật 2FA (lấy QR code + recovery codes) | ✅ |
+| `POST` | `/api/v1/auth/2fa/verify` | Xác minh mã TOTP & kích hoạt | ✅ |
+| `POST` | `/api/v1/auth/2fa/disable` | Tắt 2FA | ✅ |
+
+### 4.4 Social Login APIs
+
+| Method | Endpoint | Mô tả | Auth |
+|--------|----------|-------|------|
+| `GET` | `/api/v1/auth/external-login/{provider}` | Bắt đầu OAuth flow (Google/Facebook) | ❌ |
+| `GET` | `/api/v1/auth/external-callback` | Xử lý OAuth callback | ❌ |
+| `GET` | `/api/v1/auth/linked-accounts` | Lấy danh sách providers đã liên kết | ✅ |
+
+### 4.5 User Management APIs
 
 | Method | Endpoint | Mô tả | Auth |
 |--------|----------|-------|------|
@@ -221,7 +247,7 @@ graph TD
 | `PUT` | `/api/v1/users/{id}` | Cập nhật user | ✅ |
 | `DELETE` | `/api/v1/users/{id}` | Xóa user (soft delete) | ✅ |
 
-### 4.3 Role Management APIs
+### 4.6 Role Management APIs
 
 | Method | Endpoint | Mô tả | Auth |
 |--------|----------|-------|------|
@@ -230,7 +256,10 @@ graph TD
 | `PUT` | `/api/v1/roles/{id}` | Cập nhật role | ✅ Admin |
 | `DELETE` | `/api/v1/roles/{id}` | Xóa role | ✅ Admin |
 
-### 4.2 Access Management APIs
+### 4.7 Access Management APIs (Planned)
+
+> [!NOTE]
+> Các APIs dưới đây là tính năng **đang được lên kế hoạch**, chưa triển khai.
 
 ```
 # Access Requests
@@ -252,7 +281,10 @@ GET    /api/v1/access/analytics/permissions
 GET    /api/v1/access/analytics/risks
 ```
 
-### 4.3 Governance APIs
+### 4.8 Governance APIs (Planned)
+
+> [!NOTE]
+> Các APIs dưới đây là tính năng **đang được lên kế hoạch**, chưa triển khai.
 
 ```
 # Compliance Reports
@@ -281,31 +313,40 @@ GET    /api/v1/governance/reports/security-events
 
 ## 5. Implementation Roadmap
 
-### Phase 1: Foundation (Weeks 1-4)
-- ✅ Migrate từ auth-service sang iam-service
-- 🔄 Tổ chức lại modules theo IAM structure
-- 🔄 Mở rộng database schema với identity models
-- 🔄 Implement User Profile module
+### Phase 1: Foundation ✅ (Completed)
+- ✅ Migrate từ auth-service sang iam-service (.NET 10 + Duende IdentityServer)
+- ✅ CQRS với MediatR Pattern
+- ✅ User Registration, Login, Logout
+- ✅ Password Management (change-password)
+- ✅ User Management APIs (CRUD)
+- ✅ Role Management APIs
 
-### Phase 2: Identity Management (Weeks 5-8)
+### Phase 1.5: Enhanced Security ✅ (Completed)
+- ✅ Email Verification (send + confirm)
+- ✅ 2FA/MFA với TOTP (QR Code, Recovery Codes)
+- ✅ Social Login (Google, Facebook OAuth)
+- ✅ Distributed Caching với Redis (ICacheService)
+- ✅ Token Blacklisting cho logout
+
+### Phase 2: Identity Management (Planned)
 - 🔄 User lifecycle management
-- 🔄 Identity verification (email, phone, document)
+- 🔄 Identity verification (phone, document - KYC)
 - 🔄 Organization & Group management
 - 🔄 Profile management with extended attributes
 
-### Phase 3: Access Management (Weeks 9-12)
+### Phase 3: Access Management (Planned)
 - 🔄 Access request/approval workflows
 - 🔄 Access review & certification system
 - 🔄 Access analytics
 - 🔄 Privileged Access Management (PAM)
 
-### Phase 4: Governance (Weeks 13-16)
+### Phase 4: Governance (Planned)
 - 🔄 Compliance reporting engine
 - 🔄 Policy governance & versioning
 - 🔄 Risk scoring & management
 - 🔄 Reporting dashboards
 
-### Phase 5: Advanced Features (Weeks 17-20)
+### Phase 5: Advanced Features (Planned)
 - 🔄 Workflow engine
 - 🔄 Advanced analytics & ML-based insights
 - 🔄 Integration APIs (SCIM, LDAP sync)