{"id":120858,"date":"2025-11-18T14:57:16","date_gmt":"2025-11-18T07:57:16","guid":{"rendered":"https:\/\/tino.vn\/blog\/?p=120858"},"modified":"2025-11-18T14:58:37","modified_gmt":"2025-11-18T07:58:37","slug":"opaque-token-la-gi","status":"publish","type":"post","link":"https:\/\/tino.vn\/blog\/opaque-token-la-gi\/","title":{"rendered":"Opaque Token l\u00e0 g\u00ec? S\u1ef1 kh\u00e1c bi\u1ec7t c\u1ed1t l\u00f5i gi\u1eefa Opaque Token v\u00e0 JWT"},"content":{"rendered":"\n<p><strong>Trong m\u1ed9t h\u1ec7 th\u1ed1ng \u0111\u0103ng nh\u1eadp hi\u1ec7n \u0111\u1ea1i, token g\u1ea7n nh\u01b0 l\u00e0 \u201cchi\u1ebfc v\u00e9 th\u00f4ng h\u00e0nh\u201d \u0111\u1ec3 ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp v\u00e0o c\u00e1c t\u00e0i nguy\u00ean v\u00e0 d\u1ecbch v\u1ee5. Tuy nhi\u00ean, kh\u00f4ng ph\u1ea3i lo\u1ea1i token n\u00e0o c\u0169ng gi\u1ed1ng nhau. Trong khi JSON Web Token (JWT) th\u01b0\u1eddng \u0111\u01b0\u1ee3c nh\u1eafc \u0111\u1ebfn nh\u01b0 m\u1ed9t ti\u00eau chu\u1ea9n ph\u1ed5 bi\u1ebfn, th\u00ec Opaque Token l\u1ea1i ng\u00e0y c\u00e0ng xu\u1ea5t hi\u1ec7n nhi\u1ec1u h\u01a1n trong c\u00e1c n\u1ec1n t\u1ea3ng thi\u00ean v\u1ec1 b\u1ea3o m\u1eadt v\u00e0 ph\u00e2n quy\u1ec1n nghi\u00eam ng\u1eb7t. V\u1eady c\u1ee5 th\u1ec3 Opaque Token l\u00e0 g\u00ec?<\/strong><\/p>\n\n\n\n<h2 id=\"T\u1ed5ng_quan_v\u1ec1_Opaque_Token\"><a id=\"post-120858-_93k9gmwy7xn0\"><\/a>T\u1ed5ng quan v\u1ec1 Opaque Token<\/h2>\n\n\n\n<h3 id=\"Opaque_Token_l\u00e0_g\u00ec?\"><a id=\"post-120858-_yrum7c2viv6b\"><\/a><strong>Opaque Token l\u00e0 g\u00ec?<\/strong><\/h3>\n\n\n\n<p>Opaque Token (hay c\u00f2n g\u1ecdi l\u00e0 <em>Reference Token<\/em>) l\u00e0 m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean, \u0111\u1ed9c nh\u1ea5t v\u00e0 kh\u00f4ng mang b\u1ea5t k\u1ef3 th\u00f4ng tin c\u00f3 \u00fd ngh\u0129a n\u00e0o (nh\u01b0 \u0111\u1ecbnh danh ng\u01b0\u1eddi d\u00f9ng hay quy\u1ec1n h\u1ea1n) \u0111\u1ed1i v\u1edbi ph\u00eda Client n\u1eafm gi\u1eef.<\/p>\n\n\n\n<p>Thay v\u00ec l\u01b0u tr\u1eef d\u1eef li\u1ec7u tr\u1ef1c ti\u1ebfp b\u00ean trong chu\u1ed7i m\u00e3 h\u00f3a nh\u01b0 JWT, Opaque Token \u0111\u00f3ng vai tr\u00f2 l\u00e0 m\u1ed9t tham chi\u1ebfu hay m\u1ed9t &#8220;chi\u1ebfc ch\u00eca kh\u00f3a&#8221; tr\u1ecf \u0111\u1ebfn th\u00f4ng tin phi\u00ean \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef an to\u00e0n trong c\u01a1 s\u1edf d\u1eef li\u1ec7u ho\u1eb7c b\u1ed9 nh\u1edb \u0111\u1ec7m (Cache) c\u1ee7a <a href=\"https:\/\/tino.vn\/blog\/may-chu-la-gi\/\" target=\"_blank\" data-type=\"post\" data-id=\"115331\" rel=\"noreferrer noopener\">Server<\/a>. Khi Client g\u1eedi chu\u1ed7i token n\u00e0y \u0111\u1ec3 y\u00eau c\u1ea7u truy c\u1eadp, h\u1ec7 th\u1ed1ng bu\u1ed9c ph\u1ea3i th\u1ef1c hi\u1ec7n b\u01b0\u1edbc tra c\u1ee9u ng\u01b0\u1ee3c l\u1ea1i \u0111\u1ec3 x\u00e1c minh t\u00ednh h\u1ee3p l\u1ec7 v\u00e0 l\u1ea5y th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng.<\/p>\n\n\n\n<p>Ch\u00ednh \u0111\u1eb7c \u0111i\u1ec3m n\u00e0y \u0111\u00e3 gi\u00fap Opaque Token che gi\u1ea5u ho\u00e0n to\u00e0n c\u1ea5u tr\u00fac d\u1eef li\u1ec7u n\u1ed9i b\u1ed9, ng\u0103n ch\u1eb7n vi\u1ec7c gi\u1ea3i m\u00e3 th\u00f4ng tin t\u1eeb ph\u00eda ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i ho\u1eb7c c\u00e1c t\u00e1c nh\u00e2n \u0111\u1ed9c h\u1ea1i.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-1.png\" alt=\"T\u1ed5ng quan v\u1ec1 Opaque Token\" class=\"wp-image-120867\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-1.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-1-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>T\u1ed5ng quan v\u1ec1 Opaque Token<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"T\u1ea1i_sao_g\u1ecdi_l\u00e0_&#8220;Opaque&#8221;?\"><a id=\"post-120858-_czh21ao65bw8\"><\/a><strong>T\u1ea1i sao g\u1ecdi l\u00e0 &#8220;Opaque&#8221;?<\/strong><\/h3>\n\n\n\n<p>Thu\u1eadt ng\u1eef &#8220;Opaque&#8221; (t\u1ea1m d\u1ecbch: <em>m\u1edd \u0111\u1ee5c ho\u1eb7c kh\u00f4ng trong su\u1ed1t<\/em>) \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 m\u00f4 t\u1ea3 \u0111\u1eb7c t\u00ednh che gi\u1ea5u th\u00f4ng tin tuy\u1ec7t \u0111\u1ed1i c\u1ee7a lo\u1ea1i token n\u00e0y \u0111\u1ed1i v\u1edbi ph\u00eda Client ho\u1eb7c b\u1ea5t k\u1ef3 ai n\u1eafm gi\u1eef chu\u1ed7i m\u00e3. Tr\u00e1i ng\u01b0\u1ee3c v\u1edbi JWT \u2013 n\u01a1i d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a nh\u01b0ng v\u1eabn c\u00f3 th\u1ec3 gi\u1ea3i m\u00e3 (decode) d\u1ec5 d\u00e0ng \u0111\u1ec3 xem n\u1ed9i dung, Opaque Token xu\u1ea5t hi\u1ec7n d\u01b0\u1edbi d\u1ea1ng m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean, ho\u00e0n to\u00e0n v\u00f4 ngh\u0129a v\u00e0 kh\u00f4ng mang theo b\u1ea5t c\u1ee9 c\u1ea5u tr\u00fac d\u1eef li\u1ec7u n\u1ed9i t\u1ea1i n\u00e0o \u0111\u1ec3 ng\u01b0\u1eddi ngo\u00e0i c\u00f3 th\u1ec3 \u0111\u1ecdc hi\u1ec3u.<\/p>\n\n\n\n<p>Ch\u1ec9 c\u00f3 m\u00e1y ch\u1ee7 ph\u00e1t h\u00e0nh (Server) m\u1edbi s\u1edf h\u1eefu kh\u1ea3 n\u0103ng tra c\u1ee9u v\u00e0 x\u00e1c \u0111\u1ecbnh \u00fd ngh\u0129a th\u1ef1c s\u1ef1 \u0111\u1eb1ng sau d\u00e3y k\u00fd t\u1ef1 b\u00ed \u1ea9n n\u00e0y. V\u00ec v\u1eady, t\u00ean g\u1ecdi &#8220;Opaque&#8221; nh\u1ea5n m\u1ea1nh v\u00e0o kh\u1ea3 n\u0103ng bi\u1ebfn phi\u00ean b\u1ea3n token tham chi\u1ebfu th\u00e0nh m\u1ed9t &#8220;chi\u1ebfc h\u1ed9p \u0111en&#8221; k\u00edn \u0111\u00e1o, ng\u0103n ch\u1eb7n ho\u00e0n to\u00e0n vi\u1ec7c l\u1ed9 l\u1ecdt th\u00f4ng tin nh\u1ea1y c\u1ea3m ra b\u00ean ngo\u00e0i m\u00f4i tr\u01b0\u1eddng l\u01b0u tr\u1eef an to\u00e0n.<\/p>\n\n\n\n<h2 id=\"C\u01a1_ch\u1ebf_ho\u1ea1t_\u0111\u1ed9ng_c\u1ee7a_Opaque_Token\"><a id=\"post-120858-_qs8aprzhqk7s\"><\/a>C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a Opaque Token<\/h2>\n\n\n\n<p>Opaque Token d\u1ef1a ho\u00e0n to\u00e0n v\u00e0o m\u00f4 h\u00ecnh &#8220;Tham chi\u1ebfu&#8221; (Reference). Quy tr\u00ecnh x\u1eed l\u00fd c\u1ee7a lo\u1ea1i token n\u00e0y bu\u1ed9c h\u1ec7 th\u1ed1ng ph\u1ea3i duy tr\u00ec tr\u1ea1ng th\u00e1i (Stateful) v\u00e0 th\u1ef1c hi\u1ec7n c\u00e1c b\u01b0\u1edbc x\u00e1c th\u1ef1c ch\u1eb7t ch\u1ebd nh\u01b0 sau:<\/p>\n\n\n\n<h3 id=\"1._Kh\u1edfi_t\u1ea1o_v\u00e0_L\u01b0u_tr\u1eef_(Issuance_&amp;_Storage)\"><a id=\"post-120858-_1kuq5ep7fjvz\"><\/a><strong>1. Kh\u1edfi t\u1ea1o v\u00e0 L\u01b0u tr\u1eef (Issuance &amp; Storage)<\/strong><\/h3>\n\n\n\n<p>Khi ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng, m\u00e1y ch\u1ee7 x\u00e1c th\u1ef1c (Authorization Server) s\u1ebd kh\u00f4ng \u0111\u00f3ng g\u00f3i th\u00f4ng tin v\u00e0o token g\u1eedi \u0111i. Thay v\u00e0o \u0111\u00f3, h\u1ec7 th\u1ed1ng th\u1ef1c hi\u1ec7n hai vi\u1ec7c song song:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sinh ra m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean, \u0111\u1ed9c nh\u1ea5t v\u00e0 kh\u00f3 \u0111o\u00e1n (v\u00ed d\u1ee5: m\u1ed9t chu\u1ed7i UUID).<\/li>\n\n\n\n<li>L\u01b0u tr\u1eef to\u00e0n b\u1ed9 th\u00f4ng tin phi\u00ean l\u00e0m vi\u1ec7c (User ID, quy\u1ec1n h\u1ea1n, th\u1eddi gian h\u1ebft h\u1ea1n&#8230;) v\u00e0o c\u01a1 s\u1edf d\u1eef li\u1ec7u ho\u1eb7c b\u1ed9 nh\u1edb \u0111\u1ec7m t\u1ed1c \u0111\u1ed9 cao (nh\u01b0 Redis, Memcached). Chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean v\u1eeba t\u1ea1o s\u1ebd \u0111\u00f3ng vai tr\u00f2 l\u00e0 &#8220;ch\u00eca kh\u00f3a&#8221; tham chi\u1ebfu \u0111\u1ebfn b\u1ea3n ghi d\u1eef li\u1ec7u n\u00e0y v\u00e0 \u0111\u01b0\u1ee3c tr\u1ea3 v\u1ec1 cho Client d\u01b0\u1edbi danh ngh\u0129a Opaque Token.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"2._G\u1eedi_y\u00eau_c\u1ea7u_x\u00e1c_th\u1ef1c_(Request)\"><a id=\"post-120858-_ceuis0ddrlbq\"><\/a><strong>2. G\u1eedi y\u00eau c\u1ea7u x\u00e1c th\u1ef1c (Request)<\/strong><\/h3>\n\n\n\n<p>Trong c\u00e1c l\u1ea7n g\u1ecdi API ti\u1ebfp theo, Client s\u1ebd \u0111\u00ednh k\u00e8m <strong>Opaque Token<\/strong> v\u00e0o HTTP Header (th\u01b0\u1eddng theo \u0111\u1ecbnh d\u1ea1ng Authorization: Bearer &lt;token_string&gt;) v\u00e0 g\u1eedi \u0111\u1ebfn Resource Server (API). T\u1ea1i b\u01b0\u1edbc n\u00e0y, Client ho\u00e0n to\u00e0n kh\u00f4ng bi\u1ebft <strong>chu\u1ed7i m\u00e3<\/strong> \u0111ang n\u1eafm gi\u1eef ch\u1ee9a th\u00f4ng tin g\u00ec, ch\u1ec9 \u0111\u01a1n thu\u1ea7n s\u1eed d\u1ee5ng chu\u1ed7i n\u00e0y nh\u01b0 m\u1ed9t v\u00e9 th\u00f4ng h\u00e0nh.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-2.png\" alt=\"C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a Opaque Token\" class=\"wp-image-120868\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-2.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-2-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a Opaque Token<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"3._Tra_c\u1ee9u_v\u00e0_ki\u1ec3m_tra_(Introspection)\"><a id=\"post-120858-_xm0nx9y8mdv6\"><\/a><strong>3. Tra c\u1ee9u v\u00e0 ki\u1ec3m tra (Introspection)<\/strong><\/h3>\n\n\n\n<p>V\u00ec Opaque Token v\u00f4 ngh\u0129a v\u1ec1 m\u1eb7t n\u1ed9i dung \u0111\u1ed1i v\u1edbi Resource Server n\u00ean API kh\u00f4ng th\u1ec3 t\u1ef1 m\u00ecnh x\u00e1c th\u1ef1c token b\u1eb1ng thu\u1eadt to\u00e1n gi\u1ea3i m\u00e3. Thay v\u00e0o \u0111\u00f3:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource Server ph\u1ea3i th\u1ef1c hi\u1ec7n quy tr\u00ecnh Token Introspection.<\/li>\n\n\n\n<li>Quy tr\u00ecnh n\u00e0y y\u00eau c\u1ea7u g\u1eedi m\u00e3 token v\u1ec1 l\u1ea1i Authorization Server ho\u1eb7c truy v\u1ea5n tr\u1ef1c ti\u1ebfp v\u00e0o kho l\u01b0u tr\u1eef (Database\/Cache) n\u01a1i ch\u1ee9a th\u00f4ng tin phi\u00ean.<\/li>\n\n\n\n<li>H\u1ec7 th\u1ed1ng s\u1ebd \u0111\u1ed1i chi\u1ebfu xem kh\u00f3a tham chi\u1ebfu n\u00e0y c\u00f3 t\u1ed3n t\u1ea1i kh\u00f4ng v\u00e0 c\u00f2n h\u1ea1n s\u1eed d\u1ee5ng hay kh\u00f4ng.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"4._Ph\u1ea3n_h\u1ed3i_(Response)\"><a id=\"post-120858-_hc4iyizapy6s\"><\/a><strong>4. Ph\u1ea3n h\u1ed3i (Response)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tr\u01b0\u1eddng h\u1ee3p h\u1ee3p l\u1ec7:<\/strong> N\u1ebfu t\u00ecm th\u1ea5y d\u1eef li\u1ec7u t\u01b0\u01a1ng \u1ee9ng trong kho l\u01b0u tr\u1eef, h\u1ec7 th\u1ed1ng s\u1ebd tr\u1ea3 v\u1ec1 th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng (User profile, scope) cho Resource Server \u0111\u1ec3 x\u1eed l\u00fd logic nghi\u1ec7p v\u1ee5 ti\u1ebfp theo.<\/li>\n\n\n\n<li><strong>Tr\u01b0\u1eddng h\u1ee3p kh\u00f4ng h\u1ee3p l\u1ec7:<\/strong> N\u1ebfu <strong>chu\u1ed7i token<\/strong> kh\u00f4ng t\u1ed3n t\u1ea1i (do h\u1ebft h\u1ea1n ho\u1eb7c \u0111\u00e3 b\u1ecb Admin thu h\u1ed3i\/x\u00f3a kh\u1ecfi Database), y\u00eau c\u1ea7u s\u1ebd b\u1ecb t\u1eeb ch\u1ed1i ngay l\u1eadp t\u1ee9c v\u1edbi m\u00e3 l\u1ed7i 401 Unauthorized.<\/li>\n<\/ul>\n\n\n\n<p><strong>T\u00f3m l\u1ea1i:<\/strong> C\u01a1 ch\u1ebf n\u00e0y bi\u1ebfn Opaque Token th\u00e0nh m\u1ed9t chi\u1ebfc c\u1ea7u n\u1ed1i. M\u1ecdi quy\u1ec1n l\u1ef1c x\u00e1c th\u1ef1c \u0111\u1ec1u n\u1eb1m t\u1eadp trung t\u1ea1i ph\u00eda Server (n\u01a1i l\u01b0u tr\u1eef d\u1eef li\u1ec7u), gi\u00fap ng\u01b0\u1eddi qu\u1ea3n tr\u1ecb c\u00f3 quy\u1ec1n ki\u1ec3m so\u00e1t tuy\u1ec7t \u0111\u1ed1i v\u00e0 t\u1ee9c th\u1eddi \u0111\u1ed1i v\u1edbi v\u00f2ng \u0111\u1eddi c\u1ee7a phi\u00ean \u0111\u0103ng nh\u1eadp.<\/p>\n\n\n\n<h2 id=\"\u01afu_\u0111i\u1ec3m_v\u00e0_nh\u01b0\u1ee3c_\u0111i\u1ec3m_khi_s\u1eed_d\u1ee5ng_Opaque_Token\"><a id=\"post-120858-_fl59sys43e07\"><\/a>\u01afu \u0111i\u1ec3m v\u00e0 nh\u01b0\u1ee3c \u0111i\u1ec3m khi s\u1eed d\u1ee5ng Opaque Token<\/h2>\n\n\n\n<h3 id=\"\u01afu_\u0111i\u1ec3m_n\u1ed5i_b\u1eadt\"><a id=\"post-120858-_8onlovq06srg\"><\/a><strong>\u01afu \u0111i\u1ec3m n\u1ed5i b\u1eadt<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kh\u1ea3 n\u0103ng thu h\u1ed3i t\u1ee9c th\u00ec:<\/strong> V\u00ec t\u00ednh h\u1ee3p l\u1ec7 c\u1ee7a phi\u00ean \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c ki\u1ec3m tra d\u1ef1a tr\u00ean d\u1eef li\u1ec7u l\u01b0u t\u1ea1i Server cho m\u1ed7i l\u1ea7n g\u1ecdi API, qu\u1ea3n tr\u1ecb vi\u00ean c\u00f3 th\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a quy\u1ec1n truy c\u1eadp c\u1ee7a ng\u01b0\u1eddi d\u00f9ng ngay l\u1eadp t\u1ee9c b\u1eb1ng c\u00e1ch x\u00f3a ho\u1eb7c \u0111\u00e1nh d\u1ea5u &#8220;h\u1ee7y&#8221; b\u1ea3n ghi trong c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/li>\n\n\n\n<li><strong>B\u1ea3o m\u1eadt th\u00f4ng tin tuy\u1ec7t \u0111\u1ed1i:<\/strong> Do chu\u1ed7i Opaque Token ch\u1ec9 l\u00e0 m\u1ed9t m\u00e3 tham chi\u1ebfu ng\u1eabu nhi\u00ean, chu\u1ed7i m\u00e3 n\u00e0y kh\u00f4ng ch\u1ee9a b\u1ea5t k\u1ef3 th\u00f4ng tin nh\u1ea1y c\u1ea3m n\u00e0o (nh\u01b0 User ID, Email, Role). Ngay c\u1ea3 khi hacker \u0111\u00e1nh c\u1eafp \u0111\u01b0\u1ee3c token, k\u1ebb t\u1ea5n c\u00f4ng c\u0169ng kh\u00f4ng th\u1ec3 khai th\u00e1c th\u00f4ng tin n\u1ed9i b\u1ed9 hay gi\u1ea3i m\u00e3 c\u1ea5u tr\u00fac d\u1eef li\u1ec7u c\u1ee7a h\u1ec7 th\u1ed1ng.<\/li>\n\n\n\n<li><strong>K\u00edch th\u01b0\u1edbc nh\u1ecf g\u1ecdn:<\/strong> D\u00f9 b\u1ea1n l\u01b0u tr\u1eef bao nhi\u00eau th\u00f4ng tin v\u1ec1 ng\u01b0\u1eddi d\u00f9ng trong Database, k\u00edch th\u01b0\u1edbc c\u1ee7a Opaque Token g\u1eedi qua m\u1ea1ng v\u1eabn lu\u00f4n c\u1ed1 \u0111\u1ecbnh v\u00e0 ng\u1eafn g\u1ecdn. \u0110\u1eb7c \u0111i\u1ec3m n\u00e0y gi\u00fap ti\u1ebft ki\u1ec7m b\u0103ng th\u00f4ng \u0111\u01b0\u1eddng truy\u1ec1n t\u1ed1t h\u01a1n so v\u1edbi JWT, b\u1edfi JWT s\u1ebd ph\u00ecnh to ra khi l\u01b0\u1ee3ng th\u00f4ng tin (Claims) b\u00ean trong t\u0103ng l\u00ean.<\/li>\n\n\n\n<li><strong>Qu\u1ea3n l\u00fd d\u1eef li\u1ec7u t\u1eadp trung:<\/strong> M\u1ecdi thay \u0111\u1ed5i v\u1ec1 quy\u1ec1n h\u1ea1n c\u1ee7a ng\u01b0\u1eddi d\u00f9ng (v\u00ed d\u1ee5: v\u1eeba \u0111\u01b0\u1ee3c th\u0103ng c\u1ea5p l\u00ean Admin) s\u1ebd \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt ngay l\u1eadp t\u1ee9c \u1edf l\u1ea7n request ti\u1ebfp theo. <strong>H\u1ec7 th\u1ed1ng<\/strong> kh\u00f4ng c\u1ea7n ch\u1edd c\u1ea5p ph\u00e1t l\u1ea1i token m\u1edbi nh\u01b0 c\u01a1 ch\u1ebf Stateless c\u1ee7a JWT.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-3.png\" alt=\"\u01afu \u0111i\u1ec3m v\u00e0 nh\u01b0\u1ee3c \u0111i\u1ec3m khi s\u1eed d\u1ee5ng Opaque Token\" class=\"wp-image-120869\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-3.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-3-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>\u01afu \u0111i\u1ec3m v\u00e0 nh\u01b0\u1ee3c \u0111i\u1ec3m khi s\u1eed d\u1ee5ng Opaque Token<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"Nh\u01b0\u1ee3c_\u0111i\u1ec3m_v\u00e0_th\u00e1ch_th\u1ee9c\"><a id=\"post-120858-_prhb965mpyk8\"><\/a><strong>Nh\u01b0\u1ee3c \u0111i\u1ec3m v\u00e0 th\u00e1ch th\u1ee9c<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u0110\u1ed9 tr\u1ec5 v\u00e0 hi\u1ec7u n\u0103ng:<\/strong> Do m\u1ed7i y\u00eau c\u1ea7u (Request) t\u1eeb Client \u0111\u1ec1u bu\u1ed9c Resource Server ph\u1ea3i th\u1ef1c hi\u1ec7n m\u1ed9t cu\u1ed9c g\u1ecdi x\u00e1c th\u1ef1c (Introspection) v\u1ec1 Database ho\u1eb7c Cache, c\u01a1 ch\u1ebf n\u00e0y t\u1ea1o ra th\u00eam m\u1ed9t b\u01b0\u1edbc x\u1eed l\u00fd trung gian (Round-trip). Vi\u1ec7c n\u00e0y ch\u1eafc ch\u1eafn s\u1ebd l\u00e0m t\u0103ng \u0111\u1ed9 tr\u1ec5 ph\u1ea3n h\u1ed3i c\u1ee7a API so v\u1edbi vi\u1ec7c gi\u1ea3i m\u00e3 JWT t\u1ea1i ch\u1ed7, \u0111\u1eb7c bi\u1ec7t khi h\u1ec7 th\u1ed1ng ph\u1ea3i ch\u1ecbu t\u1ea3i cao.<\/li>\n\n\n\n<li><strong>Ph\u1ee5 thu\u1ed9c v\u00e0o h\u1ea1 t\u1ea7ng l\u01b0u tr\u1eef:<\/strong> Gi\u1ea3i ph\u00e1p Opaque Token y\u00eau c\u1ea7u h\u1ec7 th\u1ed1ng ph\u1ea3i duy tr\u00ec tr\u1ea1ng th\u00e1i (Stateful). \u0110i\u1ec1u n\u00e0y \u0111\u1ed3ng ngh\u0129a v\u1edbi vi\u1ec7c b\u1ea1n b\u1eaft bu\u1ed9c ph\u1ea3i c\u00f3 m\u1ed9t n\u01a1i l\u01b0u tr\u1eef t\u1eadp trung (nh\u01b0 Redis, Memcached ho\u1eb7c SQL Database) \u0111\u1ec3 ch\u1ee9a c\u00e1c phi\u00ean l\u00e0m vi\u1ec7c. N\u1ebfu kho l\u01b0u tr\u1eef n\u00e0y g\u1eb7p s\u1ef1 c\u1ed1 (Down time), to\u00e0n b\u1ed9 ch\u1ee9c n\u0103ng x\u00e1c th\u1ef1c c\u1ee7a \u1ee9ng d\u1ee5ng s\u1ebd ng\u1eebng ho\u1ea1t \u0111\u1ed9ng ho\u00e0n to\u00e0n.<\/li>\n\n\n\n<li><strong>Kh\u00f3 kh\u0103n khi m\u1edf r\u1ed9ng quy m\u00f4:<\/strong> Trong c\u00e1c h\u1ec7 th\u1ed1ng ph\u00e2n t\u00e1n l\u1edbn ho\u1eb7c \u0111a v\u00f9ng (Multi-region), vi\u1ec7c \u0111\u1ed3ng b\u1ed9 h\u00f3a kho l\u01b0u tr\u1eef session gi\u1eefa c\u00e1c khu v\u1ef1c \u0111\u1ecba l\u00fd kh\u00e1c nhau l\u00e0 m\u1ed9t b\u00e0i to\u00e1n ph\u1ee9c t\u1ea1p. Resource Server \u1edf Ch\u00e2u \u00c1 c\u00f3 th\u1ec3 s\u1ebd g\u1eb7p \u0111\u1ed9 tr\u1ec5 l\u1edbn n\u1ebfu ph\u1ea3i g\u1ecdi v\u1ec1 Server x\u00e1c th\u1ef1c \u0111\u1eb7t t\u1ea1i Ch\u00e2u \u00c2u \u0111\u1ec3 ki\u1ec3m tra t\u00ednh h\u1ee3p l\u1ec7 c\u1ee7a token.<\/li>\n<\/ul>\n\n\n\n<h2 id=\"So_s\u00e1nh_chi_ti\u1ebft:_Opaque_Token_vs_JWT_(JSON_Web_Token)\"><a id=\"post-120858-_o87ex85ymlqt\"><\/a>So s\u00e1nh chi ti\u1ebft: Opaque Token vs JWT (JSON Web Token)<\/h2>\n\n\n\n<h3 id=\"V\u1ec1_c\u01a1_ch\u1ebf_l\u01b0u_tr\u1eef_th\u00f4ng_tin\"><strong>V\u1ec1 c\u01a1 ch\u1ebf l\u01b0u tr\u1eef th\u00f4ng tin<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>JWT (Self-contained):<\/strong> JWT ho\u1ea1t \u0111\u1ed9ng theo c\u01a1 ch\u1ebf Stateless (kh\u00f4ng tr\u1ea1ng th\u00e1i). To\u00e0n b\u1ed9 th\u00f4ng tin c\u1ea7n thi\u1ebft (User ID, quy\u1ec1n h\u1ea1n, th\u1eddi gian h\u1ebft h\u1ea1n) \u0111\u1ec1u \u0111\u01b0\u1ee3c \u0111\u00f3ng g\u00f3i tr\u1ef1c ti\u1ebfp b\u00ean trong chu\u1ed7i m\u00e3 d\u01b0\u1edbi d\u1ea1ng JSON \u0111\u00e3 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a Base64Url. Server kh\u00f4ng c\u1ea7n l\u01b0u tr\u1eef d\u1eef li\u1ec7u phi\u00ean l\u00e0m vi\u1ec7c sau khi c\u1ea5p ph\u00e1t token. Do \u0111\u00f3, b\u1ea5t k\u1ef3 d\u1ecbch v\u1ee5 n\u00e0o c\u00f3 kh\u00f3a b\u00ed m\u1eadt (Secret Key) \u0111\u1ec1u c\u00f3 th\u1ec3 x\u00e1c th\u1ef1c JWT m\u00e0 kh\u00f4ng c\u1ea7n truy v\u1ea5n c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/li>\n\n\n\n<li><strong>Opaque Token (Reference):<\/strong> Ng\u01b0\u1ee3c l\u1ea1i, Opaque Token ho\u1ea1t \u0111\u1ed9ng theo c\u01a1 ch\u1ebf Stateful. Chu\u1ed7i k\u00fd t\u1ef1 n\u00e0y ho\u00e0n to\u00e0n r\u1ed7ng v\u1ec1 m\u1eb7t th\u00f4ng tin v\u00e0 ch\u1ec9 \u0111\u00f3ng vai tr\u00f2 nh\u01b0 m\u1ed9t con tr\u1ecf. D\u1eef li\u1ec7u th\u1ef1c t\u1ebf c\u1ee7a phi\u00ean \u0111\u0103ng nh\u1eadp n\u1eb1m an to\u00e0n trong Database ho\u1eb7c Redis c\u1ee7a Server. \u0110\u1ec3 hi\u1ec3u \u0111\u01b0\u1ee3c Opaque Token, h\u1ec7 th\u1ed1ng b\u1eaft bu\u1ed9c ph\u1ea3i tra c\u1ee9u l\u1ea1i kho l\u01b0u tr\u1eef t\u1eadp trung.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"V\u1ec1_kh\u1ea3_n\u0103ng_b\u1ea3o_m\u1eadt_v\u00e0_quy\u1ec1n_ri\u00eang_t\u01b0\"><strong>V\u1ec1 kh\u1ea3 n\u0103ng b\u1ea3o m\u1eadt v\u00e0 quy\u1ec1n ri\u00eang t\u01b0<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>V\u1edbi JWT:<\/strong> M\u1ed9t sai l\u1ea7m ph\u1ed5 bi\u1ebfn l\u00e0 cho r\u1eb1ng JWT \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a n\u00ean an to\u00e0n. Th\u1ef1c t\u1ebf, JWT ch\u1ec9 \u0111\u01b0\u1ee3c k\u00fd (signed) \u0111\u1ec3 ch\u1ed1ng s\u1eeda \u0111\u1ed5i, c\u00f2n ph\u1ea7n n\u1ed9i dung ch\u1ec9 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a Base64 n\u00ean b\u1ea5t k\u1ef3 ai c\u0169ng c\u00f3 th\u1ec3 gi\u1ea3i m\u00e3 \u0111\u1ec3 xem th\u00f4ng tin b\u00ean trong. N\u1ebfu l\u1eadp tr\u00ecnh vi\u00ean v\u00f4 t\u00ecnh \u0111\u01b0a d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m v\u00e0o Payload, th\u00f4ng tin n\u00e0y s\u1ebd b\u1ecb l\u1ed9 ngay l\u1eadp t\u1ee9c.<\/li>\n\n\n\n<li><strong>V\u1edbi Opaque Token:<\/strong> T\u00ednh b\u1ea3o m\u1eadt l\u00e0 \u01b0u \u0111i\u1ec3m tuy\u1ec7t \u0111\u1ed1i c\u1ee7a gi\u1ea3i ph\u00e1p n\u00e0y. Do ph\u00eda Client ch\u1ec9 n\u1eafm gi\u1eef m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean v\u00f4 ngh\u0129a, k\u1ebb t\u1ea5n c\u00f4ng d\u00f9 c\u00f3 l\u1ea5y \u0111\u01b0\u1ee3c token c\u0169ng kh\u00f4ng th\u1ec3 khai th\u00e1c \u0111\u01b0\u1ee3c b\u1ea5t k\u1ef3 th\u00f4ng tin n\u00e0o v\u1ec1 c\u1ea5u tr\u00fac h\u1ec7 th\u1ed1ng hay d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-4.png\" alt=\"So s\u00e1nh chi ti\u1ebft: Opaque Token vs JWT (JSON Web Token)\" class=\"wp-image-120870\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-4.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-4-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>So s\u00e1nh chi ti\u1ebft: Opaque Token vs JWT (JSON Web Token)<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"V\u1ec1_kh\u1ea3_n\u0103ng_thu_h\u1ed3i\"><strong>V\u1ec1 kh\u1ea3 n\u0103ng thu h\u1ed3i<\/strong><\/h3>\n\n\n\n<p>\u0110\u00e2y l\u00e0 \u0111i\u1ec3m kh\u00e1c bi\u1ec7t l\u1edbn nh\u1ea5t \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn tr\u1ea3i nghi\u1ec7m qu\u1ea3n tr\u1ecb:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Opaque Token:<\/strong> Cho ph\u00e9p thu h\u1ed3i quy\u1ec1n truy c\u1eadp t\u1ee9c th\u00ec. Khi qu\u1ea3n tr\u1ecb vi\u00ean x\u00f3a ho\u1eb7c kh\u00f3a phi\u00ean l\u00e0m vi\u1ec7c trong Database, Opaque Token \u0111ang l\u01b0u h\u00e0nh s\u1ebd ngay l\u1eadp t\u1ee9c tr\u1edf n\u00ean v\u00f4 hi\u1ec7u \u1edf l\u1ea7n request ti\u1ebfp theo. \u0110i\u1ec1u n\u00e0y c\u1ef1c k\u1ef3 quan tr\u1ecdng trong c\u00e1c t\u00ecnh hu\u1ed1ng kh\u1ea9n c\u1ea5p nh\u01b0 m\u1ea5t thi\u1ebft b\u1ecb ho\u1eb7c ph\u00e1t hi\u1ec7n x\u00e2m nh\u1eadp.<\/li>\n\n\n\n<li><strong>JWT:<\/strong> R\u1ea5t kh\u00f3 \u0111\u1ec3 thu h\u1ed3i m\u1ed9t JWT khi chu\u1ed7i m\u00e3 ch\u01b0a h\u1ebft h\u1ea1n, b\u1edfi Server kh\u00f4ng l\u01b0u tr\u1ea1ng th\u00e1i c\u1ee7a token. \u0110\u1ec3 ch\u1eb7n m\u1ed9t JWT \u0111ang ho\u1ea1t \u0111\u1ed9ng, h\u1ec7 th\u1ed1ng th\u01b0\u1eddng ph\u1ea3i x\u00e2y d\u1ef1ng th\u00eam c\u01a1 ch\u1ebf &#8220;Blacklist&#8221; ho\u1eb7c thi\u1ebft l\u1eadp th\u1eddi gian s\u1ed1ng (TTL) th\u1eadt ng\u1eafn, g\u00e2y ph\u1ee9c t\u1ea1p cho ki\u1ebfn tr\u00fac.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"V\u1ec1_hi\u1ec7u_n\u0103ng_v\u00e0_k\u00edch_th\u01b0\u1edbc\"><strong>V\u1ec1 hi\u1ec7u n\u0103ng v\u00e0 k\u00edch th\u01b0\u1edbc<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>JWT:<\/strong> C\u00f3 l\u1ee3i th\u1ebf v\u1ec1 t\u1ed1c \u0111\u1ed9 x\u00e1c th\u1ef1c v\u00ec kh\u00f4ng c\u1ea7n truy v\u1ea5n Database (ti\u1ebft ki\u1ec7m IO). Tuy nhi\u00ean, k\u00edch th\u01b0\u1edbc c\u1ee7a JWT th\u01b0\u1eddng l\u1edbn v\u00e0 s\u1ebd t\u0103ng l\u00ean t\u00f9y thu\u1ed9c v\u00e0o l\u01b0\u1ee3ng th\u00f4ng tin (Claims) \u0111\u01b0\u1ee3c nh\u1ed3i nh\u00e9t b\u00ean trong, g\u00e2y ti\u00eau t\u1ed1n b\u0103ng th\u00f4ng m\u1ea1ng tr\u00ean m\u1ed7i request.<\/li>\n\n\n\n<li><strong>Opaque Token:<\/strong> K\u00edch th\u01b0\u1edbc c\u1ee7a Opaque Token r\u1ea5t nh\u1ecf g\u1ecdn v\u00e0 c\u1ed1 \u0111\u1ecbnh (th\u01b0\u1eddng l\u00e0 m\u1ed9t chu\u1ed7i UUID ng\u1eafn). Tuy nhi\u00ean, ph\u01b0\u01a1ng ph\u00e1p n\u00e0y l\u1ea1i t\u1ea1o \u00e1p l\u1ef1c l\u00ean Database v\u00ec m\u1ed7i API Request \u0111\u1ec1u y\u00eau c\u1ea7u m\u1ed9t thao t\u00e1c \u0111\u1ecdc d\u1eef li\u1ec7u (Lookup), g\u00e2y ra \u0111\u1ed9 tr\u1ec5 (latency) nh\u1ea5t \u0111\u1ecbnh so v\u1edbi vi\u1ec7c x\u00e1c th\u1ef1c t\u1ea1i ch\u1ed7.<\/li>\n<\/ul>\n\n\n\n<p><span style=\"text-decoration: underline;\"><em>B\u1ea3ng so s\u00e1nh nhanh:<\/em><\/span><\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table class=\"has-fixed-layout\"><thead><tr><th><br><p><strong>Ti\u00eau ch\u00ed<\/strong><\/p><\/th><th><br><p><strong>Opaque Token (Reference Token)<\/strong><\/p><\/th><th><br><p><strong>JWT (JSON Web Token)<\/strong><\/p><\/th><\/tr><tr><th><p><strong>C\u01a1 ch\u1ebf<\/strong><\/p><\/th><th>Stateful (C\u00f3 tr\u1ea1ng th\u00e1i &#8211; C\u1ea7n l\u01b0u tr\u1eef)<\/th><th><p>Stateless (Kh\u00f4ng tr\u1ea1ng th\u00e1i &#8211; T\u1ef1 ch\u1ee9a)<\/p><\/th><\/tr><tr><th><br><p><strong>N\u1ed9i dung Token<\/strong><\/p><\/th><th><br><p>Chu\u1ed7i ng\u1eabu nhi\u00ean, v\u00f4 ngh\u0129a v\u1edbi Client<\/p><\/th><th><br><p>Ch\u1ee9a d\u1eef li\u1ec7u JSON (c\u00f3 th\u1ec3 \u0111\u1ecdc \u0111\u01b0\u1ee3c)<\/p><\/th><\/tr><tr><th><br><p><strong>K\u00edch th\u01b0\u1edbc<\/strong><\/p><\/th><th><br><p>Nh\u1ecf g\u1ecdn, c\u1ed1 \u0111\u1ecbnh<\/p><\/th><th><br><p>L\u1edbn, t\u0103ng theo s\u1ed1 l\u01b0\u1ee3ng th\u00f4ng tin<\/p><\/th><\/tr><tr><th><br><p><strong>X\u00e1c th\u1ef1c<\/strong><\/p><\/th><th><br><p>Ch\u1eadm h\u01a1n (C\u1ea7n truy v\u1ea5n DB\/Cache)<\/p><\/th><th><br><p>Nhanh (Ch\u1ec9 c\u1ea7n CPU verify ch\u1eef k\u00fd)<\/p><\/th><\/tr><tr><th><br><p><strong>Thu h\u1ed3i (Revoke)<\/strong><\/p><\/th><th><br><p>D\u1ec5 d\u00e0ng v\u00e0 T\u1ee9c th\u00ec<\/p><\/th><th><br><p>Kh\u00f3 kh\u0103n (C\u1ea7n \u0111\u1ee3i h\u1ebft h\u1ea1n ho\u1eb7c Blacklist)<\/p><\/th><\/tr><tr><th><br><p><strong>Ph\u00f9 h\u1ee3p cho<\/strong><\/p><\/th><th><br><p>H\u1ec7 th\u1ed1ng b\u1ea3o m\u1eadt cao, Banking, Fintech<\/p><\/th><th><p>Microservices, Single Sign-On (SSO), App quy m\u00f4 l\u1edbn<\/p><\/th><\/tr><\/thead><\/table><\/figure>\n\n\n\n<h2 id=\"Khi_n\u00e0o_b\u1ea1n_n\u00ean_s\u1eed_d\u1ee5ng_Opaque_Token?\"><a id=\"post-120858-_fnlrvqnd4w5r\"><\/a>Khi n\u00e0o b\u1ea1n n\u00ean s\u1eed d\u1ee5ng Opaque Token?<\/h2>\n\n\n\n<h3 id=\"Khi_x\u00e2y_d\u1ef1ng_h\u1ec7_th\u1ed1ng_y\u00eau_c\u1ea7u_b\u1ea3o_m\u1eadt_cao_(Banking,_Fintech,_Healthcare)\"><a id=\"post-120858-_f82ag08amo3k\"><\/a><strong>Khi x\u00e2y d\u1ef1ng h\u1ec7 th\u1ed1ng y\u00eau c\u1ea7u b\u1ea3o m\u1eadt cao (Banking, Fintech, Healthcare)<\/strong><\/h3>\n\n\n\n<p>\u0110\u1ed1i v\u1edbi c\u00e1c \u1ee9ng d\u1ee5ng t\u00e0i ch\u00ednh, ng\u00e2n h\u00e0ng hay y t\u1ebf, vi\u1ec7c l\u1ed9 l\u1ecdt b\u1ea5t k\u1ef3 th\u00f4ng tin n\u00e0o (k\u1ec3 c\u1ea3 User ID hay danh s\u00e1ch quy\u1ec1n h\u1ea1n) c\u0169ng l\u00e0 m\u1ed9t r\u1ee7i ro kh\u00f4ng th\u1ec3 ch\u1ea5p nh\u1eadn. Opaque Token gi\u00fap che gi\u1ea5u ho\u00e0n to\u00e0n c\u1ea5u tr\u00fac d\u1eef li\u1ec7u n\u1ed9i b\u1ed9. K\u1ebb t\u1ea5n c\u00f4ng d\u00f9 c\u00f3 l\u1ea5y \u0111\u01b0\u1ee3c token c\u0169ng ch\u1ec9 nh\u1eadn \u0111\u01b0\u1ee3c m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 v\u00f4 ngh\u0129a, kh\u00f4ng th\u1ec3 khai th\u00e1c hay suy lu\u1eadn ra logic c\u1ee7a h\u1ec7 th\u1ed1ng.<\/p>\n\n\n\n<h3 id=\"Khi_c\u1ea7n_t\u00ednh_n\u0103ng_&#8220;Thu_h\u1ed3i_quy\u1ec1n_truy_c\u1eadp_t\u1ee9c_th\u00ec&#8221;_(Immediate_Revocation)\"><a id=\"post-120858-_5v7m3trcriae\"><\/a><strong>Khi c\u1ea7n t\u00ednh n\u0103ng &#8220;Thu h\u1ed3i quy\u1ec1n truy c\u1eadp t\u1ee9c th\u00ec&#8221; (Immediate Revocation)<\/strong><\/h3>\n\n\n\n<p>N\u1ebfu \u1ee9ng d\u1ee5ng c\u1ee7a b\u1ea1n c\u1ea7n ch\u1ee9c n\u0103ng &#8220;\u0110\u0103ng xu\u1ea5t kh\u1ecfi t\u1ea5t c\u1ea3 c\u00e1c thi\u1ebft b\u1ecb&#8221; (Log out everywhere) ho\u1eb7c Admin c\u1ea7n quy\u1ec1n kh\u00f3a t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng ngay l\u1eadp t\u1ee9c khi ph\u00e1t hi\u1ec7n gian l\u1eadn, Opaque Token l\u00e0 gi\u1ea3i ph\u00e1p b\u1eaft bu\u1ed9c. Do tr\u1ea1ng th\u00e1i \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c ki\u1ec3m tra \u1edf m\u1ed7i request, vi\u1ec7c x\u00f3a phi\u00ean l\u00e0m vi\u1ec7c tr\u00ean Server s\u1ebd c\u00f3 hi\u1ec7u l\u1ef1c ngay l\u1eadp t\u1ee9c. Trong khi \u0111\u00f3, JWT v\u1eabn s\u1ebd h\u1ee3p l\u1ec7 cho \u0111\u1ebfn khi h\u1ebft h\u1ea1n, khi\u1ebfn vi\u1ec7c thu h\u1ed3i quy\u1ec1n truy c\u1eadp tr\u1edf n\u00ean kh\u00f3 kh\u0103n h\u01a1n nhi\u1ec1u.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-5.png\" alt=\"Khi n\u00e0o b\u1ea1n n\u00ean s\u1eed d\u1ee5ng Opaque Token?\" class=\"wp-image-120871\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-5.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-5-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>Khi n\u00e0o b\u1ea1n n\u00ean s\u1eed d\u1ee5ng Opaque Token?<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"Khi_d\u1eef_li\u1ec7u_phi\u00ean_l\u00e0m_vi\u1ec7c_(Session_Data)_qu\u00e1_l\u1edbn\"><a id=\"post-120858-_po11fno3ifki\"><\/a><strong>Khi d\u1eef li\u1ec7u phi\u00ean l\u00e0m vi\u1ec7c (Session Data) qu\u00e1 l\u1edbn<\/strong><\/h3>\n\n\n\n<p>Trong c\u00e1c h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p (Enterprise), th\u00f4ng tin v\u1ec1 quy\u1ec1n h\u1ea1n (Roles &amp; Permissions) ho\u1eb7c metadata c\u1ee7a ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 r\u1ea5t ph\u1ee9c t\u1ea1p v\u00e0 dung l\u01b0\u1ee3ng l\u1edbn. N\u1ebfu nh\u1ed3i nh\u00e9t t\u1ea5t c\u1ea3 d\u1eef li\u1ec7u n\u00e0y v\u00e0o JWT, k\u00edch th\u01b0\u1edbc c\u1ee7a g\u00f3i tin s\u1ebd ph\u00ecnh to, g\u00e2y ti\u00eau t\u1ed1n b\u0103ng th\u00f4ng v\u00e0 l\u00e0m ch\u1eadm t\u1ed1c \u0111\u1ed9 t\u1ea3i trang. S\u1eed d\u1ee5ng token tham chi\u1ebfu gi\u00fap Header c\u1ee7a c\u00e1c y\u00eau c\u1ea7u m\u1ea1ng lu\u00f4n nh\u1eb9 nh\u00e0ng v\u00e0 c\u1ed1 \u0111\u1ecbnh, v\u00ec to\u00e0n b\u1ed9 d\u1eef li\u1ec7u n\u1eb7ng n\u1ec1 \u0111\u00e3 \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef an to\u00e0n t\u1ea1i Server.<\/p>\n\n\n\n<h3 id=\"Khi_kh\u00f4ng_mu\u1ed1n_x\u1eed_l\u00fd_logic_m\u00e3_h\u00f3a_ph\u1ee9c_t\u1ea1p_\u1edf_ph\u00eda_Client\"><a id=\"post-120858-_h50ssa6qvvc7\"><\/a><strong>Khi kh\u00f4ng mu\u1ed1n x\u1eed l\u00fd logic m\u00e3 h\u00f3a ph\u1ee9c t\u1ea1p \u1edf ph\u00eda Client<\/strong><\/h3>\n\n\n\n<p>M\u1ed9t s\u1ed1 thi\u1ebft b\u1ecb IoT n\u0103ng l\u1ef1c th\u1ea5p ho\u1eb7c c\u00e1c \u1ee9ng d\u1ee5ng Client \u0111\u01a1n gi\u1ea3n c\u00f3 th\u1ec3 kh\u00f4ng h\u1ed7 tr\u1ee3 t\u1ed1t c\u00e1c th\u01b0 vi\u1ec7n m\u00e3 h\u00f3a \u0111\u1ec3 gi\u1ea3i m\u00e3 (decode) ho\u1eb7c x\u00e1c th\u1ef1c ch\u1eef k\u00fd c\u1ee7a JWT. Vi\u1ec7c s\u1eed d\u1ee5ng Opaque Token gi\u00fap \u0111\u01a1n gi\u1ea3n h\u00f3a t\u1ed1i \u0111a c\u00f4ng vi\u1ec7c c\u1ee7a ph\u00eda Client: ch\u1ec9 c\u1ea7n l\u01b0u chu\u1ed7i k\u00fd t\u1ef1 v\u00e0 g\u1eedi \u0111i, kh\u00f4ng c\u1ea7n quan t\u00e2m \u0111\u1ebfn n\u1ed9i dung b\u00ean trong hay thu\u1eadt to\u00e1n m\u00e3 h\u00f3a.<\/p>\n\n\n\n<h2 id=\"Opaque_Token_th\u01b0\u1eddng_\u0111\u01b0\u1ee3c_\u1ee9ng_d\u1ee5ng_trong_l\u0129nh_v\u1ef1c_n\u00e0o?\"><a id=\"post-120858-_95jk8wdiz7je\"><\/a>Opaque Token th\u01b0\u1eddng \u0111\u01b0\u1ee3c \u1ee9ng d\u1ee5ng trong l\u0129nh v\u1ef1c n\u00e0o?<\/h2>\n\n\n\n<h3 id=\"T\u00e0i_ch\u00ednh_&#8211;_Ng\u00e2n_h\u00e0ng\"><a id=\"post-120858-_auuhimgvwz24\"><\/a><strong>T\u00e0i ch\u00ednh &#8211; Ng\u00e2n h\u00e0ng<\/strong><\/h3>\n\n\n\n<p>C\u00e1c \u1ee9ng d\u1ee5ng v\u00ed \u0111i\u1ec7n t\u1eed, Smart Banking hay c\u00e1c c\u1ed5ng thanh to\u00e1n tr\u1ef1c tuy\u1ebfn lu\u00f4n ph\u1ea3i \u0111\u1ed1i m\u1eb7t v\u1edbi nguy c\u01a1 t\u1ea5n c\u00f4ng t\u00e0i ch\u00ednh cao \u0111\u1ed9. Do \u0111\u00f3, c\u00e1c \u0111\u1ecbnh ch\u1ebf t\u00e0i ch\u00ednh c\u1ea7n kh\u1ea3 n\u0103ng &#8220;Kill Switch&#8221; (C\u00f4ng t\u1eafc ng\u1eaft) t\u1ee9c th\u00ec. Khi kh\u00e1ch h\u00e0ng b\u00e1o m\u1ea5t \u0111i\u1ec7n tho\u1ea1i ho\u1eb7c h\u1ec7 th\u1ed1ng ph\u00e1t hi\u1ec7n giao d\u1ecbch b\u1ea5t th\u01b0\u1eddng, ng\u00e2n h\u00e0ng ph\u1ea3i c\u00f3 quy\u1ec1n v\u00f4 hi\u1ec7u h\u00f3a phi\u00ean \u0111\u0103ng nh\u1eadp ngay l\u1eadp t\u1ee9c t\u1ea1i ph\u00eda Server.<\/p>\n\n\n\n<p>C\u01a1 ch\u1ebf Stateless c\u1ee7a JWT kh\u00f4ng th\u1ec3 \u0111\u00e1p \u1ee9ng y\u00eau c\u1ea7u ph\u1ea3n \u1ee9ng nhanh n\u00e0y m\u1ed9t c\u00e1ch an to\u00e0n tuy\u1ec7t \u0111\u1ed1i.<\/p>\n\n\n\n<h3 id=\"Y_t\u1ebf_v\u00e0_ch\u0103m_s\u00f3c_s\u1ee9c_kh\u1ecfe\"><a id=\"post-120858-_dmiafkr4jlim\"><\/a><strong>Y t\u1ebf v\u00e0 ch\u0103m s\u00f3c s\u1ee9c kh\u1ecfe<\/strong><\/h3>\n\n\n\n<p>D\u1eef li\u1ec7u b\u1ec7nh \u00e1n \u0111i\u1ec7n t\u1eed (EMR) v\u00e0 th\u00f4ng tin c\u00e1 nh\u00e2n c\u1ee7a b\u1ec7nh nh\u00e2n l\u00e0 nh\u1eefng t\u00e0i s\u1ea3n c\u1ef1c k\u1ef3 nh\u1ea1y c\u1ea3m, \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 b\u1edfi c\u00e1c lu\u1eadt \u0111\u1ecbnh nghi\u00eam ng\u1eb7t nh\u01b0 HIPAA (M\u1ef9) hay GDPR (Ch\u00e2u \u00c2u).<\/p>\n\n\n\n<p>Vi\u1ec7c \u0111\u1ec3 l\u1ed9 b\u1ea5t k\u1ef3 th\u00f4ng tin n\u00e0o (d\u00f9 ch\u1ec9 l\u00e0 User ID) trong payload c\u1ee7a token c\u0169ng c\u00f3 th\u1ec3 vi ph\u1ea1m quy \u0111\u1ecbnh v\u1ec1 quy\u1ec1n ri\u00eang t\u01b0. S\u1eed d\u1ee5ng chu\u1ed7i k\u00fd t\u1ef1 ng\u1eabu nhi\u00ean c\u1ee7a Opaque Token gi\u00fap \u0111\u1ea3m b\u1ea3o r\u1eb1ng d\u1eef li\u1ec7u b\u1ec7nh nh\u00e2n lu\u00f4n n\u1eb1m y\u00ean trong c\u01a1 s\u1edf d\u1eef li\u1ec7u b\u1ea3o m\u1eadt cao, kh\u00f4ng bao gi\u1edd &#8220;di chuy\u1ec3n&#8221; ra ngo\u00e0i m\u00f4i tr\u01b0\u1eddng m\u1ea1ng d\u01b0\u1edbi d\u1ea1ng m\u00e3 h\u00f3a c\u00f3 th\u1ec3 b\u1ecb gi\u1ea3i m\u00e3.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-6.png\" alt=\"Opaque Token th\u01b0\u1eddng \u0111\u01b0\u1ee3c \u1ee9ng d\u1ee5ng trong l\u0129nh v\u1ef1c n\u00e0o?\" class=\"wp-image-120872\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-6.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-6-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>Opaque Token th\u01b0\u1eddng \u0111\u01b0\u1ee3c \u1ee9ng d\u1ee5ng trong l\u0129nh v\u1ef1c n\u00e0o?<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"H\u1ec7_th\u1ed1ng_ch\u00ednh_ph\u1ee7_v\u00e0_d\u1ecbch_v\u1ee5_c\u00f4ng\"><a id=\"post-120858-_2cqlputlk2ai\"><\/a><strong>H\u1ec7 th\u1ed1ng ch\u00ednh ph\u1ee7 v\u00e0 d\u1ecbch v\u1ee5 c\u00f4ng<\/strong><\/h3>\n\n\n\n<p>C\u00e1c c\u1ed5ng d\u1ecbch v\u1ee5 c\u00f4ng qu\u1ed1c gia, h\u1ec7 th\u1ed1ng \u0111\u1ecbnh danh c\u00f4ng d\u00e2n (National ID) hay c\u00e1c c\u01a1 s\u1edf d\u1eef li\u1ec7u qu\u00e2n s\u1ef1 th\u01b0\u1eddng xuy\u00ean l\u00e0 m\u1ee5c ti\u00eau c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng m\u1ea1ng quy m\u00f4 l\u1edbn. C\u00e1c h\u1ec7 th\u1ed1ng n\u00e0y c\u1ea7n \u01b0u ti\u00ean t\u00ednh n\u0103ng &#8220;Che gi\u1ea5u c\u1ea5u tr\u00fac&#8221; (Security by Obscurity).<\/p>\n\n\n\n<p>Opaque Token s\u1ebd gi\u00fap \u1ea9n \u0111i ho\u00e0n to\u00e0n logic n\u1ed9i b\u1ed9, m\u00f4 h\u00ecnh ph\u00e2n quy\u1ec1n v\u00e0 c\u1ea5u tr\u00fac User ID, khi\u1ebfn k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng th\u1ec3 thu th\u1eadp th\u00f4ng tin t\u00ecnh b\u00e1o (Reconnaissance) t\u1eeb c\u00e1c g\u00f3i tin ch\u1eb7n b\u1eaft \u0111\u01b0\u1ee3c.<\/p>\n\n\n\n<h3 id=\"H\u1ec7_th\u1ed1ng_qu\u1ea3n_tr\u1ecb_doanh_nghi\u1ec7p_l\u1edbn\"><a id=\"post-120858-_9k6bfz16kj3v\"><\/a><strong>H\u1ec7 th\u1ed1ng qu\u1ea3n tr\u1ecb doanh nghi\u1ec7p l\u1edbn<\/strong><\/h3>\n\n\n\n<p>Trong c\u00e1c t\u1eadp \u0111o\u00e0n \u0111a qu\u1ed1c gia, h\u1ec7 th\u1ed1ng ph\u00e2n quy\u1ec1n th\u01b0\u1eddng c\u1ef1c k\u1ef3 ph\u1ee9c t\u1ea1p. M\u1ed9t nh\u00e2n s\u1ef1 c\u1ea5p cao c\u00f3 th\u1ec3 s\u1edf h\u1eefu h\u00e0ng tr\u0103m vai tr\u00f2 (Roles), nh\u00f3m (Groups) v\u00e0 quy\u1ec1n h\u1ea1n (Permissions) kh\u00e1c nhau. N\u1ebfu \u0111\u00f3ng g\u00f3i to\u00e0n b\u1ed9 danh s\u00e1ch quy\u1ec1n h\u1ea1n kh\u1ed5ng l\u1ed3 n\u00e0y v\u00e0o m\u1ed9t JWT, k\u00edch th\u01b0\u1edbc c\u1ee7a g\u00f3i tin s\u1ebd v\u01b0\u1ee3t qu\u00e1 gi\u1edbi h\u1ea1n cho ph\u00e9p c\u1ee7a HTTP Header, g\u00e2y t\u1eafc ngh\u1ebdn b\u0103ng th\u00f4ng.<\/p>\n\n\n\n<p>M\u00f4 h\u00ecnh tham chi\u1ebfu c\u1ee7a Opaque Token s\u1ebd gi\u1ea3i quy\u1ebft tri\u1ec7t \u0111\u1ec3 v\u1ea5n \u0111\u1ec1 n\u00e0y b\u1eb1ng c\u00e1ch gi\u1eef cho token lu\u00f4n nh\u1ecf g\u1ecdn, trong khi to\u00e0n b\u1ed9 d\u1eef li\u1ec7u quy\u1ec1n h\u1ea1n ph\u1ee9c t\u1ea1p v\u1eabn \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef v\u00e0 truy xu\u1ea5t nhanh ch\u00f3ng t\u1eeb Redis ho\u1eb7c Database.<\/p>\n\n\n\n<h3 id=\"Thi\u1ebft_b\u1ecb_IoT_(Internet_of_Things)_t\u00e0i_nguy\u00ean_th\u1ea5p\"><a id=\"post-120858-_pxs6l5y8r1pp\"><\/a><strong>Thi\u1ebft b\u1ecb IoT (Internet of Things) t\u00e0i nguy\u00ean th\u1ea5p<\/strong><\/h3>\n\n\n\n<p>Kh\u00f4ng ph\u1ea3i thi\u1ebft b\u1ecb th\u00f4ng minh n\u00e0o c\u0169ng c\u00f3 b\u1ed9 vi x\u1eed l\u00fd m\u1ea1nh m\u1ebd. Nhi\u1ec1u c\u1ea3m bi\u1ebfn c\u00f4ng nghi\u1ec7p ho\u1eb7c thi\u1ebft b\u1ecb \u0111eo tay (wearable) c\u00f3 dung l\u01b0\u1ee3ng pin v\u00e0 n\u0103ng l\u1ef1c t\u00ednh to\u00e1n r\u1ea5t h\u1ea1n ch\u1ebf. Vi\u1ec7c ph\u1ea3i li\u00ean t\u1ee5c k\u00fd (sign) v\u00e0 m\u00e3 h\u00f3a\/gi\u1ea3i m\u00e3 JWT ti\u00eau t\u1ed1n \u0111\u00e1ng k\u1ec3 chu k\u1ef3 CPU v\u00e0 n\u0103ng l\u01b0\u1ee3ng pin.<\/p>\n\n\n\n<p>Opaque Token l\u00e0 l\u1ef1a ch\u1ecdn l\u00fd t\u01b0\u1edfng v\u00ec c\u00e1c thi\u1ebft b\u1ecb n\u00e0y ch\u1ec9 c\u1ea7n th\u1ef1c hi\u1ec7n thao t\u00e1c \u0111\u01a1n gi\u1ea3n l\u00e0 l\u01b0u tr\u1eef v\u00e0 g\u1eedi \u0111i m\u1ed9t chu\u1ed7i k\u00fd t\u1ef1 t\u0129nh, gi\u1ea3m t\u1ea3i g\u00e1nh n\u1eb7ng x\u1eed l\u00fd cho ph\u1ea7n c\u1ee9ng.<\/p>\n\n\n\n<h2 id=\"C\u00e1ch_tri\u1ec3n_khai_Opaque_Token_trong_th\u1ef1c_t\u1ebf\"><a id=\"post-120858-_7i90i1ailmr8\"><\/a>C\u00e1ch tri\u1ec3n khai Opaque Token trong th\u1ef1c t\u1ebf<\/h2>\n\n\n\n<h3 id=\"Vai_tr\u00f2_trung_t\u00e2m_c\u1ee7a_OAuth2_Authorization_Server\"><a id=\"post-120858-_djt58icdez58\"><\/a><strong>Vai tr\u00f2 trung t\u00e2m c\u1ee7a OAuth2 Authorization Server<\/strong><\/h3>\n\n\n\n<p>Trong m\u00f4 h\u00ecnh n\u00e0y, OAuth2 Authorization Server \u0111\u00f3ng vai tr\u00f2 l\u00e0 &#8220;tr\u00e1i tim&#8221; c\u1ee7a h\u1ec7 th\u1ed1ng b\u1ea3o m\u1eadt. M\u00e1y ch\u1ee7 n\u00e0y kh\u00f4ng ch\u1ec9 ch\u1ecbu tr\u00e1ch nhi\u1ec7m x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng m\u00e0 c\u00f2n n\u1eafm gi\u1eef quy\u1ec1n l\u1ef1c t\u1ed1i cao trong vi\u1ec7c ph\u00e1t h\u00e0nh v\u00e0 \u0111\u1ecbnh \u0111o\u1ea1t s\u1ed1 ph\u1eadn c\u1ee7a Opaque Token.<\/p>\n\n\n\n<p>\u0110\u1ec3 h\u1ec7 th\u1ed1ng ho\u1ea1t \u0111\u1ed9ng tr\u01a1n tru, Authorization Server b\u1eaft bu\u1ed9c ph\u1ea3i h\u1ed7 tr\u1ee3 chu\u1ea9n<a href=\"https:\/\/oauth.net\/2\/token-introspection\/\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/oauth.net\/2\/token-introspection\/\" rel=\"noreferrer noopener nofollow\"> RFC 7662 (Token Introspection)<\/a>. \u0110\u00e2y l\u00e0 giao th\u1ee9c ti\u00eau chu\u1ea9n cho ph\u00e9p c\u00e1c API (Resource Server) g\u1eedi chu\u1ed7i token v\u1ec1 m\u00e1y ch\u1ee7 \u1ee7y quy\u1ec1n \u0111\u1ec3 h\u1ecfi tr\u1ea1ng th\u00e1i hi\u1ec7n t\u1ea1i (active\/inactive) v\u00e0 l\u1ea5y v\u1ec1 th\u00f4ng tin meta-data c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. Vi\u1ec7c tu\u00e2n th\u1ee7 chu\u1ea9n n\u00e0y gi\u00fap h\u1ec7 th\u1ed1ng d\u1ec5 d\u00e0ng t\u00edch h\u1ee3p v\u1edbi nhi\u1ec1u lo\u1ea1i Client v\u00e0 API kh\u00e1c nhau m\u00e0 kh\u00f4ng b\u1ecb kh\u00f3a ch\u1eb7t v\u00e0o m\u1ed9t gi\u1ea3i ph\u00e1p \u0111\u1ed9c quy\u1ec1n n\u00e0o.<\/p>\n\n\n\n<h3 id=\"L\u1ef1a_ch\u1ecdn_n\u1ec1n_t\u1ea3ng_IAM:_Keycloak,_Auth0,_Okta,_AWS_Cognito\"><a id=\"post-120858-_68d3upd36ggj\"><\/a><strong>L\u1ef1a ch\u1ecdn n\u1ec1n t\u1ea3ng IAM: Keycloak, Auth0, Okta, AWS Cognito<\/strong><\/h3>\n\n\n\n<p>Hi\u1ec7n nay, thay v\u00ec t\u1ef1 code module x\u00e1c th\u1ef1c (r\u1ea5t r\u1ee7i ro), c\u00e1c doanh nghi\u1ec7p th\u01b0\u1eddng s\u1eed d\u1ee5ng c\u00e1c gi\u1ea3i ph\u00e1p IAM (Identity and Access Management) \u0111\u00e3 \u0111\u01b0\u1ee3c ki\u1ec3m ch\u1ee9ng. H\u1ea7u h\u1ebft c\u00e1c n\u1ec1n t\u1ea3ng l\u1edbn \u0111\u1ec1u h\u1ed7 tr\u1ee3 c\u01a1 ch\u1ebf Opaque Token:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keycloak:<\/strong> Gi\u1ea3i ph\u00e1p m\u00e3 ngu\u1ed3n m\u1edf h\u00e0ng \u0111\u1ea7u n\u00e0y h\u1ed7 tr\u1ee3 r\u1ea5t m\u1ea1nh m\u1ebd chu\u1ea9n Token Introspection. Qu\u1ea3n tr\u1ecb vi\u00ean c\u00f3 th\u1ec3 c\u1ea5u h\u00ecnh \u0111\u1ec3 Keycloak qu\u1ea3n l\u00fd phi\u00ean l\u00e0m vi\u1ec7c t\u1eadp trung, gi\u00fap vi\u1ec7c thu h\u1ed3i quy\u1ec1n truy c\u1eadp di\u1ec5n ra t\u1ee9c th\u00ec tr\u00ean to\u00e0n h\u1ec7 th\u1ed1ng.<\/li>\n\n\n\n<li><strong>Auth0 &amp; Okta:<\/strong> Hai n\u1ec1n t\u1ea3ng SaaS n\u00e0y cho ph\u00e9p \u0111\u1ecbnh ngh\u0129a \u0111\u1ecbnh d\u1ea1ng c\u1ee7a Access Token. N\u1ebfu API Identifier \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh \u0111\u00fang, Auth0\/Okta s\u1ebd tr\u1ea3 v\u1ec1 Opaque Token cho c\u00e1c \u1ee9ng d\u1ee5ng b\u00ean th\u1ee9 ba \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o th\u00f4ng tin n\u1ed9i b\u1ed9 kh\u00f4ng b\u1ecb l\u1ed9 ra ngo\u00e0i.<\/li>\n\n\n\n<li><strong>AWS Cognito:<\/strong> M\u1eb7c d\u00f9 Cognito thi\u00ean v\u1ec1 JWT, nh\u01b0ng d\u1ecbch v\u1ee5 n\u00e0y c\u00f3 th\u1ec3 k\u1ebft h\u1ee3p v\u1edbi API Gateway \u0111\u1ec3 th\u1ef1c hi\u1ec7n c\u01a1 ch\u1ebf t\u01b0\u01a1ng t\u1ef1 nh\u01b0 Opaque Token th\u00f4ng qua vi\u1ec7c ki\u1ec3m tra tr\u1ea1ng th\u00e1i user trong User Pool tr\u01b0\u1edbc khi cho ph\u00e9p request \u0111i qua.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"700\" height=\"375\" src=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-7.png\" alt=\"C\u00e1ch tri\u1ec3n khai Opaque Token trong th\u1ef1c t\u1ebf\" class=\"wp-image-120873\" title=\"\" srcset=\"https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-7.png 700w, https:\/\/tino.vn\/blog\/wp-content\/uploads\/2025\/11\/opaque-token-la-gi-7-300x161.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption class=\"wp-element-caption\"><strong>C\u00e1ch tri\u1ec3n khai Opaque Token trong th\u1ef1c t\u1ebf<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 id=\"L\u01b0u_\u00fd_quan_tr\u1ecdng_khi_thi\u1ebft_k\u1ebf_API_(Resource_Server)\"><a id=\"post-120858-_nnsysnxg2c3d\"><\/a><strong>L\u01b0u \u00fd quan tr\u1ecdng khi thi\u1ebft k\u1ebf API (Resource Server)<\/strong><\/h3>\n\n\n\n<p>Khi API ph\u1ea3i l\u00e0m vi\u1ec7c v\u1edbi <strong>chu\u1ed7i m\u00e3 tham chi\u1ebfu<\/strong>, ki\u1ebfn tr\u00fac h\u1ec7 th\u1ed1ng c\u1ea7n gi\u1ea3i quy\u1ebft b\u00e0i to\u00e1n v\u1ec1 \u0111\u1ed9 tr\u1ec5 m\u1ea1ng do qu\u00e1 tr\u00ecnh Introspection g\u00e2y ra.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u00c1p d\u1ee5ng Caching th\u00f4ng minh:<\/strong> \u0110\u1ec3 tr\u00e1nh vi\u1ec7c API ph\u1ea3i g\u1ecdi v\u1ec1 Authorization Server trong m\u1ecdi request, \u0111\u1ed9i ng\u0169 k\u1ef9 thu\u1eadt n\u00ean thi\u1ebft l\u1eadp m\u1ed9t l\u1edbp Cache ng\u1eafn h\u1ea1n (v\u00ed d\u1ee5: 30 gi\u00e2y \u0111\u1ebfn 1 ph\u00fat) ngay t\u1ea1i API Gateway ho\u1eb7c Resource Server. Vi\u1ec7c l\u01b0u \u0111\u1ec7m k\u1ebft qu\u1ea3 x\u00e1c th\u1ef1c c\u1ee7a token gi\u00fap gi\u1ea3m t\u1ea3i \u0111\u00e1ng k\u1ec3 cho h\u1ec7 th\u1ed1ng trung t\u00e2m m\u00e0 v\u1eabn \u0111\u1ea3m b\u1ea3o kh\u1ea3 n\u0103ng thu h\u1ed3i quy\u1ec1n truy c\u1eadp v\u1edbi \u0111\u1ed9 tr\u1ec5 ch\u1ea5p nh\u1eadn \u0111\u01b0\u1ee3c.<\/li>\n\n\n\n<li><strong>S\u1eed d\u1ee5ng API Gateway l\u00e0m l\u00e1 ch\u1eafn:<\/strong> Thay v\u00ec \u0111\u1ec3 t\u1eebng Microservice t\u1ef1 m\u00ecnh th\u1ef1c hi\u1ec7n Introspection, h\u00e3y \u0111\u1eb7t nhi\u1ec7m v\u1ee5 n\u00e0y cho API Gateway. Gateway s\u1ebd x\u00e1c th\u1ef1c Opaque Token m\u1ed9t l\u1ea7n, sau \u0111\u00f3 chuy\u1ec3n \u0111\u1ed5i th\u00f4ng tin th\u00e0nh m\u1ed9t JWT ng\u1eafn h\u1ea1n (Phantom Token) \u0111\u1ec3 g\u1eedi v\u00e0o m\u1ea1ng l\u01b0\u1edbi n\u1ed9i b\u1ed9. C\u00e1ch l\u00e0m n\u00e0y gi\u00fap c\u00e1c d\u1ecbch v\u1ee5 b\u00ean trong ho\u1ea1t \u0111\u1ed9ng nhanh nh\u01b0 c\u01a1 ch\u1ebf Stateless m\u00e0 v\u1eabn gi\u1eef \u0111\u01b0\u1ee3c t\u00ednh b\u1ea3o m\u1eadt t\u1eeb b\u00ean ngo\u00e0i.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"Best_practices_b\u1ea3o_m\u1eadt\"><a id=\"post-120858-_bjnyfbb45plo\"><\/a><strong>Best practices b\u1ea3o m\u1eadt<\/strong><\/h3>\n\n\n\n<p>\u0110\u1ec3 Opaque Token th\u1ef1c s\u1ef1 tr\u1edf th\u00e0nh b\u1ee9c t\u01b0\u1eddng l\u1eeda v\u1eefng ch\u1eafc, qu\u00e1 tr\u00ecnh tri\u1ec3n khai c\u1ea7n tu\u00e2n th\u1ee7 c\u00e1c nguy\u00ean t\u1eafc sau:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>B\u1eaft bu\u1ed9c s\u1eed d\u1ee5ng HTTPS\/TLS:<\/strong> V\u00ec chu\u1ed7i token l\u00e0 ch\u00eca kh\u00f3a duy nh\u1ea5t \u0111\u1ec3 v\u00e0o nh\u00e0, \u0111\u01b0\u1eddng truy\u1ec1n m\u1ea1ng b\u1eaft bu\u1ed9c ph\u1ea3i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a. N\u1ebfu \u0111\u1ec3 l\u1ed9 chu\u1ed7i k\u00fd t\u1ef1 n\u00e0y qua giao th\u1ee9c HTTP th\u01b0\u1eddng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 \u0111\u00e1nh c\u1eafp v\u00e0 m\u1ea1o danh ng\u01b0\u1eddi d\u00f9ng d\u1ec5 d\u00e0ng.<\/li>\n\n\n\n<li><strong>Thi\u1ebft l\u1eadp v\u00f2ng \u0111\u1eddi ng\u1eafn (Short-lived TTL):<\/strong> D\u00f9 Opaque Token c\u00f3 th\u1ec3 thu h\u1ed3i \u0111\u01b0\u1ee3c, vi\u1ec7c thi\u1ebft l\u1eadp th\u1eddi gian h\u1ebft h\u1ea1n ng\u1eafn (v\u00ed d\u1ee5: 15-30 ph\u00fat) v\u1eabn l\u00e0 c\u1ea7n thi\u1ebft. Chi\u1ebfn l\u01b0\u1ee3c n\u00e0y gi\u1ea3m thi\u1ec3u r\u1ee7i ro trong tr\u01b0\u1eddng h\u1ee3p m\u00e3 token b\u1ecb \u0111\u00e1nh c\u1eafp v\u00e0 Cache ch\u01b0a k\u1ecbp c\u1eadp nh\u1eadt tr\u1ea1ng th\u00e1i thu h\u1ed3i.<\/li>\n\n\n\n<li><strong>Nguy\u00ean l\u00fd \u0111\u1eb7c quy\u1ec1n t\u1ed1i thi\u1ec3u (Least Privilege):<\/strong> Khi Authorization Server tr\u1ea3 v\u1ec1 th\u00f4ng tin sau b\u01b0\u1edbc Introspection, h\u1ec7 th\u1ed1ng ch\u1ec9 n\u00ean cung c\u1ea5p nh\u1eefng quy\u1ec1n h\u1ea1n (Scopes) th\u1ef1c s\u1ef1 c\u1ea7n thi\u1ebft cho t\u00e1c v\u1ee5 hi\u1ec7n t\u1ea1i, tr\u00e1nh tr\u1ea3 v\u1ec1 to\u00e0n b\u1ed9 h\u1ed3 s\u01a1 ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng c\u1ea7n thi\u1ebft.<\/li>\n<\/ul>\n\n\n\n<h3 id=\"K\u1ebft_lu\u1eadn\"><a id=\"post-120858-_92ezdcey99bu\"><\/a><strong>K\u1ebft lu\u1eadn<\/strong><\/h3>\n\n\n\n<p>T\u00f3m l\u1ea1i, Opaque Token kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t c\u00f4ng ngh\u1ec7 l\u1ed7i th\u1eddi, m\u00e0 l\u00e0 m\u1ed9t s\u1ef1 \u0111\u00e1nh \u0111\u1ed5i c\u00f3 t\u00ednh to\u00e1n gi\u1eefa s\u1ef1 ti\u1ec7n l\u1ee3i v\u00e0 t\u00ednh b\u1ea3o m\u1eadt ch\u1eb7t ch\u1ebd. Trong khi JWT t\u1ecfa s\u00e1ng \u1edf kh\u1ea3 n\u0103ng m\u1edf r\u1ed9ng v\u00e0 gi\u1ea3m t\u1ea3i cho server, th\u00ec Opaque Token l\u1ea1i l\u00e0 &#8216;b\u1ee9c t\u01b0\u1eddng l\u1eeda&#8217; v\u1eefng ch\u1eafc gi\u00fap b\u1ea1n ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n v\u00f2ng \u0111\u1eddi c\u1ee7a phi\u00ean \u0111\u0103ng nh\u1eadp.<\/p>\n\n\n\n<p>Vi\u1ec7c l\u1ef1a ch\u1ecdn gi\u1eefa Opaque Token hay JWT ph\u1ee5 thu\u1ed9c ho\u00e0n to\u00e0n v\u00e0o ki\u1ebfn tr\u00fac h\u1ec7 th\u1ed1ng v\u00e0 m\u1ee9c \u0111\u1ed9 nh\u1ea1y c\u1ea3m c\u1ee7a d\u1eef li\u1ec7u b\u1ea1n \u0111ang x\u1eed l\u00fd. Hy v\u1ecdng qua b\u00e0i vi\u1ebft n\u00e0y, b\u1ea1n \u0111\u00e3 hi\u1ec3u r\u00f5 Opaque Token l\u00e0 g\u00ec \u0111\u1ec3 \u0111\u01b0a ra quy\u1ebft \u0111\u1ecbnh ki\u1ebfn tr\u00fac s\u00e1ng su\u1ed1t nh\u1ea5t cho d\u1ef1 \u00e1n c\u1ee7a m\u00ecnh. N\u1ebfu b\u1ea1n \u0111ang x\u00e2y d\u1ef1ng h\u1ec7 th\u1ed1ng y\u00eau c\u1ea7u b\u1ea3o m\u1eadt c\u1ea5p cao, \u0111\u1eebng ng\u1ea7n ng\u1ea1i th\u1eed nghi\u1ec7m c\u01a1 ch\u1ebf n\u00e0y ngay h\u00f4m nay.<\/p>\n\n\n\n<h2 id=\"Nh\u1eefng_c\u00e2u_h\u1ecfi_th\u01b0\u1eddng_g\u1eb7p\"><a id=\"post-120858-_y0tp2wpaa3ju\"><\/a>Nh\u1eefng c\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p<\/h2>\n\n\n\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"Opaque_Token_c\u00f3_an_to\u00e0n_h\u01a1n_JWT_kh\u00f4ng?\">Opaque Token c\u00f3 an to\u00e0n h\u01a1n JWT kh\u00f4ng?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>V\u1ec1 kh\u00eda c\u1ea1nh che gi\u1ea5u th\u00f4ng tin, Opaque Token an to\u00e0n h\u01a1n h\u1eb3n. V\u00ec chu\u1ed7i m\u00e3 n\u00e0y kh\u00f4ng ch\u1ee9a b\u1ea5t k\u1ef3 d\u1eef li\u1ec7u n\u00e0o v\u1ec1 ng\u01b0\u1eddi d\u00f9ng hay h\u1ec7 th\u1ed1ng, k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng th\u1ec3 gi\u1ea3i m\u00e3 (decode) \u0111\u1ec3 xem n\u1ed9i dung b\u00ean trong nh\u01b0 \u0111\u1ed1i v\u1edbi JWT. Tuy nhi\u00ean, m\u1ee9c \u0111\u1ed9 an to\u00e0n t\u1ed5ng th\u1ec3 c\u00f2n ph\u1ee5 thu\u1ed9c v\u00e0o c\u00e1ch b\u1ea1n b\u1ea3o v\u1ec7 n\u01a1i l\u01b0u tr\u1eef token (Database\/Cache) v\u00e0 k\u00eanh truy\u1ec1n t\u1ea3i (HTTPS).<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"Vi\u1ec7c_s\u1eed_d\u1ee5ng_Opaque_Token_c\u00f3_l\u00e0m_ch\u1eadm_h\u1ec7_th\u1ed1ng_kh\u00f4ng?\">Vi\u1ec7c s\u1eed d\u1ee5ng Opaque Token c\u00f3 l\u00e0m ch\u1eadm h\u1ec7 th\u1ed1ng kh\u00f4ng?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>C\u00f3, nh\u01b0ng c\u00f3 th\u1ec3 t\u1ed1i \u01b0u h\u00f3a \u0111\u01b0\u1ee3c. Do m\u1ed7i y\u00eau c\u1ea7u \u0111\u1ec1u bu\u1ed9c Server ph\u1ea3i th\u1ef1c hi\u1ec7n tra c\u1ee9u d\u1eef li\u1ec7u phi\u00ean l\u00e0m vi\u1ec7c, c\u01a1 ch\u1ebf n\u00e0y s\u1ebd t\u1ea1o ra \u0111\u1ed9 tr\u1ec5 cao h\u01a1n so v\u1edbi vi\u1ec7c x\u00e1c th\u1ef1c JWT t\u1ea1i ch\u1ed7. \u0110\u1ec3 kh\u1eafc ph\u1ee5c, c\u00e1c k\u1ef9 s\u01b0 th\u01b0\u1eddng s\u1eed d\u1ee5ng In-Memory Cache (nh\u01b0 <a href=\"https:\/\/tino.vn\/blog\/so-sanh-memcached-va-redis\/\" target=\"_blank\" data-type=\"post\" data-id=\"15908\" rel=\"noreferrer noopener\">Redis<\/a>) \u0111\u1ec3 t\u1ed1c \u0111\u1ed9 truy xu\u1ea5t \u0111\u1ea1t m\u1ee9c mili-gi\u00e2y.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"T\u00f4i_n\u00ean_l\u01b0u_tr\u1eef_Opaque_Token_\u1edf_\u0111\u00e2u_tr\u00ean_ph\u00eda_Client?\">T\u00f4i n\u00ean l\u01b0u tr\u1eef Opaque Token \u1edf \u0111\u00e2u tr\u00ean ph\u00eda Client?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>N\u01a1i l\u01b0u tr\u1eef an to\u00e0n nh\u1ea5t cho chu\u1ed7i tham chi\u1ebfu n\u00e0y (v\u00e0 c\u1ea3 JWT) l\u00e0 HttpOnly Cookie. Vi\u1ec7c l\u01b0u trong Cookie v\u1edbi c\u1edd HttpOnly v\u00e0 Secure s\u1ebd gi\u00fap ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng XSS (Cross-Site Scripting) \u0111\u00e1nh c\u1eafp m\u00e3 token, \u0111i\u1ec1u m\u00e0 Local Storage kh\u00f4ng l\u00e0m \u0111\u01b0\u1ee3c.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"C\u00f3_th\u1ec3_s\u1eed_d\u1ee5ng_Opaque_Token_v\u00e0_JWT_c\u00f9ng_l\u00fac_trong_m\u1ed9t_d\u1ef1_\u00e1n_kh\u00f4ng?\">C\u00f3 th\u1ec3 s\u1eed d\u1ee5ng Opaque Token v\u00e0 JWT c\u00f9ng l\u00fac trong m\u1ed9t d\u1ef1 \u00e1n kh\u00f4ng?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Ho\u00e0n to\u00e0n \u0111\u01b0\u1ee3c. \u0110\u00e2y ch\u00ednh l\u00e0 m\u00f4 h\u00ecnh &#8220;Phantom Token&#8221; (Token b\u00f3ng ma). Trong ki\u1ebfn tr\u00fac n\u00e0y, Opaque Token \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u1edf ph\u00eda Client \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o b\u1ea3o m\u1eadt v\u00e0 kh\u1ea3 n\u0103ng thu h\u1ed3i. Khi request \u0111i qua API Gateway, h\u1ec7 th\u1ed1ng s\u1ebd \u0111\u1ed5i Opaque Token th\u00e0nh JWT \u0111\u1ec3 g\u1eedi v\u00e0o c\u00e1c Microservices b\u00ean trong nh\u1eb1m t\u1eadn d\u1ee5ng t\u1ed1c \u0111\u1ed9 x\u1eed l\u00fd nhanh.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"Reference_Token_v\u00e0_Opaque_Token_c\u00f3_ph\u1ea3i_l\u00e0_m\u1ed9t_kh\u00f4ng?\">Reference Token v\u00e0 Opaque Token c\u00f3 ph\u1ea3i l\u00e0 m\u1ed9t kh\u00f4ng?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Trong h\u1ea7u h\u1ebft c\u00e1c ng\u1eef c\u1ea3nh k\u1ef9 thu\u1eadt, hai thu\u1eadt ng\u1eef n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng thay th\u1ebf cho nhau. C\u1ea3 hai \u0111\u1ec1u \u00e1m ch\u1ec9 lo\u1ea1i token ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t tham chi\u1ebfu \u0111\u1ebfn d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef ph\u00eda Server thay v\u00ec t\u1ef1 ch\u1ee9a d\u1eef li\u1ec7u.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h2 id=\"T\u1ea1i_sao_Opaque_Token_l\u1ea1i_ph\u00f9_h\u1ee3p_v\u1edbi_\u1ee9ng_d\u1ee5ng_Ng\u00e2n_h\u00e0ng\/Fintech?\">T\u1ea1i sao Opaque Token l\u1ea1i ph\u00f9 h\u1ee3p v\u1edbi \u1ee9ng d\u1ee5ng Ng\u00e2n h\u00e0ng\/Fintech?<\/h2>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Ng\u00e2n h\u00e0ng c\u1ea7n kh\u1ea3 n\u0103ng ki\u1ec3m so\u00e1t r\u1ee7i ro tuy\u1ec7t \u0111\u1ed1i. N\u1ebfu ph\u00e1t hi\u1ec7n giao d\u1ecbch b\u1ea5t th\u01b0\u1eddng ho\u1eb7c m\u1ea5t \u0111i\u1ec7n tho\u1ea1i, ng\u00e2n h\u00e0ng c\u1ea7n thu h\u1ed3i quy\u1ec1n truy c\u1eadp ngay l\u1eadp t\u1ee9c. Opaque Token cho ph\u00e9p l\u00e0m \u0111i\u1ec1u n\u00e0y b\u1eb1ng c\u00e1ch x\u00f3a phi\u00ean l\u00e0m vi\u1ec7c tr\u00ean Server, khi\u1ebfn token trong tay k\u1ebb gian v\u00f4 hi\u1ec7u t\u1ee9c th\u00ec.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\n<script type=\"application\/ld+json\">\n\t{\n\t\t\"@context\": \"https:\/\/schema.org\",\n\t\t\"@type\": \"FAQPage\",\n\t\t\"mainEntity\": [\n\t\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Opaque Token c\u00f3 an to\u00e0n h\u01a1n JWT kh\u00f4ng?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>V\u1ec1 kh\u00eda c\u1ea1nh che gi\u1ea5u th\u00f4ng tin, Opaque Token an to\u00e0n h\u01a1n h\u1eb3n. V\u00ec chu\u1ed7i m\u00e3 n\u00e0y kh\u00f4ng ch\u1ee9a b\u1ea5t k\u1ef3 d\u1eef li\u1ec7u n\u00e0o v\u1ec1 ng\u01b0\u1eddi d\u00f9ng hay h\u1ec7 th\u1ed1ng, k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng th\u1ec3 gi\u1ea3i m\u00e3 (decode) \u0111\u1ec3 xem n\u1ed9i dung b\u00ean trong nh\u01b0 \u0111\u1ed1i v\u1edbi JWT. Tuy nhi\u00ean, m\u1ee9c \u0111\u1ed9 an to\u00e0n t\u1ed5ng th\u1ec3 c\u00f2n ph\u1ee5 thu\u1ed9c v\u00e0o c\u00e1ch b\u1ea1n b\u1ea3o v\u1ec7 n\u01a1i l\u01b0u tr\u1eef token (Database\/Cache) v\u00e0 k\u00eanh truy\u1ec1n t\u1ea3i (HTTPS).<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Vi\u1ec7c s\u1eed d\u1ee5ng Opaque Token c\u00f3 l\u00e0m ch\u1eadm h\u1ec7 th\u1ed1ng kh\u00f4ng?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>C\u00f3, nh\u01b0ng c\u00f3 th\u1ec3 t\u1ed1i \u01b0u h\u00f3a \u0111\u01b0\u1ee3c. Do m\u1ed7i y\u00eau c\u1ea7u \u0111\u1ec1u bu\u1ed9c Server ph\u1ea3i th\u1ef1c hi\u1ec7n tra c\u1ee9u d\u1eef li\u1ec7u phi\u00ean l\u00e0m vi\u1ec7c, c\u01a1 ch\u1ebf n\u00e0y s\u1ebd t\u1ea1o ra \u0111\u1ed9 tr\u1ec5 cao h\u01a1n so v\u1edbi vi\u1ec7c x\u00e1c th\u1ef1c JWT t\u1ea1i ch\u1ed7. \u0110\u1ec3 kh\u1eafc ph\u1ee5c, c\u00e1c k\u1ef9 s\u01b0 th\u01b0\u1eddng s\u1eed d\u1ee5ng In-Memory Cache (nh\u01b0 <a>Redis<\/a>) \u0111\u1ec3 t\u1ed1c \u0111\u1ed9 truy xu\u1ea5t \u0111\u1ea1t m\u1ee9c mili-gi\u00e2y.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"T\u00f4i n\u00ean l\u01b0u tr\u1eef Opaque Token \u1edf \u0111\u00e2u tr\u00ean ph\u00eda Client?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>N\u01a1i l\u01b0u tr\u1eef an to\u00e0n nh\u1ea5t cho chu\u1ed7i tham chi\u1ebfu n\u00e0y (v\u00e0 c\u1ea3 JWT) l\u00e0 HttpOnly Cookie. Vi\u1ec7c l\u01b0u trong Cookie v\u1edbi c\u1edd HttpOnly v\u00e0 Secure s\u1ebd gi\u00fap ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng XSS (Cross-Site Scripting) \u0111\u00e1nh c\u1eafp m\u00e3 token, \u0111i\u1ec1u m\u00e0 Local Storage kh\u00f4ng l\u00e0m \u0111\u01b0\u1ee3c.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"C\u00f3 th\u1ec3 s\u1eed d\u1ee5ng Opaque Token v\u00e0 JWT c\u00f9ng l\u00fac trong m\u1ed9t d\u1ef1 \u00e1n kh\u00f4ng?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Ho\u00e0n to\u00e0n \u0111\u01b0\u1ee3c. \u0110\u00e2y ch\u00ednh l\u00e0 m\u00f4 h\u00ecnh \\\"Phantom Token\\\" (Token b\u00f3ng ma). Trong ki\u1ebfn tr\u00fac n\u00e0y, Opaque Token \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u1edf ph\u00eda Client \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o b\u1ea3o m\u1eadt v\u00e0 kh\u1ea3 n\u0103ng thu h\u1ed3i. Khi request \u0111i qua API Gateway, h\u1ec7 th\u1ed1ng s\u1ebd \u0111\u1ed5i Opaque Token th\u00e0nh JWT \u0111\u1ec3 g\u1eedi v\u00e0o c\u00e1c Microservices b\u00ean trong nh\u1eb1m t\u1eadn d\u1ee5ng t\u1ed1c \u0111\u1ed9 x\u1eed l\u00fd nhanh.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Reference Token v\u00e0 Opaque Token c\u00f3 ph\u1ea3i l\u00e0 m\u1ed9t kh\u00f4ng?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Trong h\u1ea7u h\u1ebft c\u00e1c ng\u1eef c\u1ea3nh k\u1ef9 thu\u1eadt, hai thu\u1eadt ng\u1eef n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng thay th\u1ebf cho nhau. C\u1ea3 hai \u0111\u1ec1u \u00e1m ch\u1ec9 lo\u1ea1i token ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t tham chi\u1ebfu \u0111\u1ebfn d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef ph\u00eda Server thay v\u00ec t\u1ef1 ch\u1ee9a d\u1eef li\u1ec7u.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"T\u1ea1i sao Opaque Token l\u1ea1i ph\u00f9 h\u1ee3p v\u1edbi \u1ee9ng d\u1ee5ng Ng\u00e2n h\u00e0ng\/Fintech?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Ng\u00e2n h\u00e0ng c\u1ea7n kh\u1ea3 n\u0103ng ki\u1ec3m so\u00e1t r\u1ee7i ro tuy\u1ec7t \u0111\u1ed1i. N\u1ebfu ph\u00e1t hi\u1ec7n giao d\u1ecbch b\u1ea5t th\u01b0\u1eddng ho\u1eb7c m\u1ea5t \u0111i\u1ec7n tho\u1ea1i, ng\u00e2n h\u00e0ng c\u1ea7n thu h\u1ed3i quy\u1ec1n truy c\u1eadp ngay l\u1eadp t\u1ee9c. Opaque Token cho ph\u00e9p l\u00e0m \u0111i\u1ec1u n\u00e0y b\u1eb1ng c\u00e1ch x\u00f3a phi\u00ean l\u00e0m vi\u1ec7c tr\u00ean Server, khi\u1ebfn token trong tay k\u1ebb gian v\u00f4 hi\u1ec7u t\u1ee9c th\u00ec.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t\t\t\t]\n\t}\n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>Trong m\u1ed9t h\u1ec7 th\u1ed1ng \u0111\u0103ng nh\u1eadp hi\u1ec7n \u0111\u1ea1i, token g\u1ea7n nh\u01b0 l\u00e0 \u201cchi\u1ebfc v\u00e9 th\u00f4ng h\u00e0nh\u201d \u0111\u1ec3 ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp v\u00e0o c\u00e1c t\u00e0i nguy\u00ean v\u00e0 d\u1ecbch v\u1ee5. Tuy nhi\u00ean, kh\u00f4ng ph\u1ea3i lo\u1ea1i token n\u00e0o c\u0169ng gi\u1ed1ng nhau. Trong khi JSON Web Token (JWT) th\u01b0\u1eddng \u0111\u01b0\u1ee3c nh\u1eafc \u0111\u1ebfn nh\u01b0 m\u1ed9t ti\u00eau chu\u1ea9n ph\u1ed5 bi\u1ebfn, th\u00ec [&hellip;]<\/p>\n","protected":false},"author":23,"featured_media":120875,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5389],"tags":[7458],"class_list":["post-120858","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kien-thuc-tong-hop","tag-opaque-token"],"_links":{"self":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts\/120858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/comments?post=120858"}],"version-history":[{"count":10,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts\/120858\/revisions"}],"predecessor-version":[{"id":120876,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/posts\/120858\/revisions\/120876"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/media\/120875"}],"wp:attachment":[{"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/media?parent=120858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/categories?post=120858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tino.vn\/blog\/wp-json\/wp\/v2\/tags?post=120858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}