docs: Update architecture and README documentation to reflect migration from OpenIddict to Duende IdentityServer

- Revised architecture documentation to replace OpenIddict references with Duende IdentityServer, including updates to diagrams and flow descriptions.
- Updated README files in both English and Vietnamese to reflect the change in the OAuth2/OIDC server from OpenIddict to Duende IdentityServer.
- Enhanced token management and authentication flow descriptions to align with the new identity server implementation.

services/iam-service-net/docs/en/ARCHITECTURE.md

@@ -1,6 +1,6 @@
 # IAM Service Architecture
 
-> Architecture documentation for IAM (Identity and Access Management) Service built with .NET 10, OpenIddict, and Clean Architecture.
+> Architecture documentation for IAM (Identity and Access Management) Service built with .NET 10, **Duende IdentityServer**, and Clean Architecture.
 
 ## Architecture Overview
 
@@ -34,7 +34,7 @@ graph TB
     subgraph "Infrastructure"
         CTX[Identity DbContext]
         REPO[Repositories]
-        OIDDICT[OpenIddict]
+        IDSERVER[Duende IdentityServer]
     end
     
     subgraph "External"
@@ -49,21 +49,21 @@ graph TB
     AUTH --> QRY
     USR --> CMD
     USR --> QRY
-    TOK --> OIDDICT
+    TOK --> IDSERVER
     CMD --> VAL
     CMD --> BHV
     CMD --> USER
     QRY --> REPO
     USER --> EVT
     REPO --> CTX
-    OIDDICT --> CTX
+    IDSERVER --> CTX
     CTX --> DB
     CTX --> REDIS
     
     style AUTH fill:#4a90d9,stroke:#2d5986,color:#fff
     style USER fill:#50c878,stroke:#2d8659,color:#fff
     style DB fill:#ff6b6b,stroke:#c0392b,color:#fff
-    style OIDDICT fill:#9b59b6,stroke:#7d3c98,color:#fff
+    style IDSERVER fill:#9b59b6,stroke:#7d3c98,color:#fff
 ```
 
 ## OAuth2 Authentication Flow
@@ -72,28 +72,28 @@ graph TB
 sequenceDiagram
     participant Client
     participant AuthController
-    participant OpenIddict
+    participant IdentityServer
     participant UserManager
     participant Database
     
     Note over Client,Database: Password Grant Flow (User Login)
     
     Client->>AuthController: POST /connect/token<br/>grant_type=password
-    AuthController->>OpenIddict: Validate Request
-    OpenIddict->>UserManager: FindByEmailAsync()
+    AuthController->>IdentityServer: Validate Request
+    IdentityServer->>UserManager: FindByEmailAsync()
     UserManager->>Database: Query User
     Database-->>UserManager: User Data
     UserManager->>UserManager: CheckPasswordAsync()
-    UserManager-->>OpenIddict: User Validated
-    OpenIddict->>OpenIddict: Generate Tokens (JWT)
-    OpenIddict-->>AuthController: Token Response
+    UserManager-->>IdentityServer: User Validated
+    IdentityServer->>IdentityServer: Generate Tokens (JWT)
+    IdentityServer-->>AuthController: Token Response
     AuthController-->>Client: access_token + refresh_token
     
     Note over Client,Database: Using Access Token
     
     Client->>AuthController: GET /api/v1/users/me<br/>Authorization: Bearer {token}
-    AuthController->>OpenIddict: Validate JWT
-    OpenIddict-->>AuthController: Claims Principal
+    AuthController->>IdentityServer: Validate JWT
+    IdentityServer-->>AuthController: Claims Principal
     AuthController-->>Client: User Data
 ```
 
@@ -200,13 +200,13 @@ erDiagram
         uuid RoleId PK,FK
     }
     
-    OpenIddictTokens {
+    IdentityServerPersistedGrants {
         uuid Id PK
-        uuid ApplicationId FK
-        uuid AuthorizationId FK
+        string Key UK
         string Type
-        string Status
-        datetime ExpirationDate
+        string ClientId
+        datetime CreationTime
+        datetime Expiration
     }
     
     AspNetUsers ||--o{ UserStatuses : has
@@ -251,7 +251,7 @@ graph TD
     subgraph "Authentication"
         JWT[JWT Bearer Tokens]
         RS256[RS256 Signing]
-        OIDC[OpenIddict Server]
+        OIDC[IdentityServer]
     end
     
     subgraph "Authorization"
@@ -527,7 +527,7 @@ sequenceDiagram
 
 ## References
 
-- [OpenIddict Documentation](https://documentation.openiddict.com/)
+- [Duende IdentityServer Documentation](https://docs.duendesoftware.com/identityserver/v7/)
 - [ASP.NET Core Identity](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity)
 - [OAuth2 Specification](https://oauth.net/2/)
 - [eShopOnContainers](https://github.com/dotnet-architecture/eShopOnContainers)

services/iam-service-net/docs/en/README.md

@@ -1,12 +1,12 @@
 # IAM Service .NET 10
 
-> Identity and Access Management Service built with .NET 10, ASP.NET Core Identity, and OpenIddict following DDD, CQRS, and Clean Architecture patterns.
+> Identity and Access Management Service built with .NET 10, ASP.NET Core Identity, and **Duende IdentityServer** following DDD, CQRS, and Clean Architecture patterns.
 
 ## Overview
 
 This service provides OAuth2/OpenID Connect authentication and authorization:
 
-- **OAuth2/OIDC Server** - OpenIddict for token management
+- **OAuth2/OIDC Server** - Duende IdentityServer for token management
 - **User Management** - Registration, profile, soft-delete
 - **Role-Based Access Control** - User roles and permissions
 - **Token Management** - Access (15 min), Refresh (7 days) tokens
@@ -19,7 +19,7 @@ This service provides OAuth2/OpenID Connect authentication and authorization:
 |------------|---------|
 | .NET 10 | Runtime |
 | ASP.NET Core Identity | User/Role management |
-| OpenIddict | OAuth2/OIDC server |
+| Duende IdentityServer | OAuth2/OIDC server |
 | EF Core + PostgreSQL | Data persistence |
 | Redis | Distributed caching |
 | MediatR | CQRS pattern |
@@ -137,9 +137,11 @@ curl -X POST http://localhost:5001/api/v1/auth/register \
 curl -X POST http://localhost:5001/connect/token \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=password" \
+  -d "client_id=password-client" \
+  -d "client_secret=password-client-secret" \
   -d "username=user@example.com" \
   -d "password=Password123!" \
-  -d "scope=openid profile email offline_access"
+  -d "scope=openid profile email api offline_access"
 ```
 
 **Response:**
@@ -374,7 +376,7 @@ docker run -p 5001:8080 --env-file .env goodgo/iam-service:latest
 
 ## Resources
 
-- [OpenIddict Documentation](https://documentation.openiddict.com/)
+- [Duende IdentityServer Documentation](https://docs.duendesoftware.com/identityserver/v7/)
 - [ASP.NET Core Identity](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity)
 - [OAuth2 Specification](https://oauth.net/2/)
 - [eShopOnContainers](https://github.com/dotnet-architecture/eShopOnContainers)

services/iam-service-net/docs/vi/ARCHITECTURE.md

@@ -1,6 +1,6 @@
 # Kiến Trúc IAM Service
 
-> Tài liệu kiến trúc cho IAM Service (Quản lý Danh tính và Truy cập) xây dựng với .NET 10, OpenIddict, và Clean Architecture.
+> Tài liệu kiến trúc cho IAM Service (Quản lý Danh tính và Truy cập) xây dựng với .NET 10, **Duende IdentityServer**, và Clean Architecture.
 
 ## Tổng Quan Kiến Trúc
 
@@ -34,7 +34,7 @@ graph TB
     subgraph "Infrastructure"
         CTX[Identity DbContext]
         REPO[Repositories]
-        OIDDICT[OpenIddict]
+        IDSERVER[Duende IdentityServer]
     end
     
     subgraph "External"
@@ -49,21 +49,21 @@ graph TB
     AUTH --> QRY
     USR --> CMD
     USR --> QRY
-    TOK --> OIDDICT
+    TOK --> IDSERVER
     CMD --> VAL
     CMD --> BHV
     CMD --> USER
     QRY --> REPO
     USER --> EVT
     REPO --> CTX
-    OIDDICT --> CTX
+    IDSERVER --> CTX
     CTX --> DB
     CTX --> REDIS
     
     style AUTH fill:#4a90d9,stroke:#2d5986,color:#fff
     style USER fill:#50c878,stroke:#2d8659,color:#fff
     style DB fill:#ff6b6b,stroke:#c0392b,color:#fff
-    style OIDDICT fill:#9b59b6,stroke:#7d3c98,color:#fff
+    style IDSERVER fill:#9b59b6,stroke:#7d3c98,color:#fff
 ```
 
 ## Luồng Xác Thực OAuth2
@@ -72,28 +72,28 @@ graph TB
 sequenceDiagram
     participant Client
     participant AuthController
-    participant OpenIddict
+    participant IdentityServer
     participant UserManager
     participant Database
     
     Note over Client,Database: Password Grant Flow (Đăng nhập)
     
     Client->>AuthController: POST /connect/token<br/>grant_type=password
-    AuthController->>OpenIddict: Validate Request
-    OpenIddict->>UserManager: FindByEmailAsync()
+    AuthController->>IdentityServer: Validate Request
+    IdentityServer->>UserManager: FindByEmailAsync()
     UserManager->>Database: Query User
     Database-->>UserManager: User Data
     UserManager->>UserManager: CheckPasswordAsync()
-    UserManager-->>OpenIddict: User Validated
-    OpenIddict->>OpenIddict: Tạo Tokens (JWT)
-    OpenIddict-->>AuthController: Token Response
+    UserManager-->>IdentityServer: User Validated
+    IdentityServer->>IdentityServer: Tạo Tokens (JWT)
+    IdentityServer-->>AuthController: Token Response
     AuthController-->>Client: access_token + refresh_token
     
     Note over Client,Database: Sử dụng Access Token
     
     Client->>AuthController: GET /api/v1/users/me<br/>Authorization: Bearer {token}
-    AuthController->>OpenIddict: Validate JWT
-    OpenIddict-->>AuthController: Claims Principal
+    AuthController->>IdentityServer: Validate JWT
+    IdentityServer-->>AuthController: Claims Principal
     AuthController-->>Client: User Data
 ```
 
@@ -200,13 +200,13 @@ erDiagram
         uuid RoleId PK,FK
     }
     
-    OpenIddictTokens {
+    IdentityServerPersistedGrants {
         uuid Id PK
-        uuid ApplicationId FK
-        uuid AuthorizationId FK
+        string Key UK
         string Type
-        string Status
-        datetime ExpirationDate
+        string ClientId
+        datetime CreationTime
+        datetime Expiration
     }
     
     AspNetUsers ||--o{ UserStatuses : có
@@ -251,7 +251,7 @@ graph TD
     subgraph "Authentication"
         JWT[JWT Bearer Tokens]
         RS256[RS256 Signing]
-        OIDC[OpenIddict Server]
+        OIDC[IdentityServer]
     end
     
     subgraph "Authorization"
@@ -527,7 +527,7 @@ sequenceDiagram
 
 ## Tài Liệu Tham Khảo
 
-- [OpenIddict Documentation](https://documentation.openiddict.com/)
+- [Duende IdentityServer Documentation](https://docs.duendesoftware.com/identityserver/v7/)
 - [ASP.NET Core Identity](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity)
 - [OAuth2 Specification](https://oauth.net/2/)
 - [eShopOnContainers](https://github.com/dotnet-architecture/eShopOnContainers)

services/iam-service-net/docs/vi/README.md

@@ -1,12 +1,12 @@
 # IAM Service .NET 10
 
-> **Service IAM (Identity and Access Management) .NET 10 với OAuth2/OIDC sử dụng OpenIddict.**
+> **Service IAM (Identity and Access Management) .NET 10 với OAuth2/OIDC sử dụng Duende IdentityServer.**
 
 ## Tổng Quan
 
 IAM Service cung cấp các chức năng quản lý danh tính và truy cập:
 
-- **OAuth2/OIDC** - Authentication với OpenIddict
+- **OAuth2/OIDC** - Authentication với Duende IdentityServer
 - **User Management** - CRUD operations cho users
 - **Password Management** - Đổi mật khẩu
 - **Token Management** - Issue, refresh, revoke tokens
@@ -161,9 +161,11 @@ curl -X POST http://localhost:5001/api/v1/auth/register \
 curl -X POST http://localhost:5001/connect/token \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=password" \
+  -d "client_id=password-client" \
+  -d "client_secret=password-client-secret" \
   -d "username=user@example.com" \
   -d "password=Password123!" \
-  -d "scope=openid profile email offline_access"
+  -d "scope=openid profile email api offline_access"
 ```
 
 **Response:**
@@ -348,6 +350,6 @@ docker run -p 5001:8080 --env-file .env goodgo/iam-service:latest
 
 ## Tài Nguyên
 
-- [OpenIddict Documentation](https://documentation.openiddict.com/)
+- [Duende IdentityServer Documentation](https://docs.duendesoftware.com/identityserver/v7/)
 - [ASP.NET Core Identity](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity)
 - [OAuth2 Specification](https://oauth.net/2/)