In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.
Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.
For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.
For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.
Need to keep the messages simple and clear. Ransomware/hacking etc. are making it difficult/high-risk to operate an online business. ASP.NET wants to be the goto solution for web APIs and backing service for mobile applications. Robust and reliable identity, online authentication and secrecy are foundational features and ASP.NET should have at a minimum a clear path forward to provide this functionality with minimum functionality to provide a viable product, otherwise any time, effort and costs to learn related technologies and develop products are doomed to be concept demonstrators that don't generate income.
We don't have time to go down dead-ends. More...
Good that article does not mention “framework” once, since (ASP).NET cannot be considered complete framework after this announcement.
We, existing asp.net developers, will have to go along with this decision, but this is a huge setback for otherwise good efforts aimed at attracting new users.
This decision is a great embarrassment for Microsoft unless this was explicitly agreed with Duendo in hopes to increase usage of Azure AD. This would actually explain outrageous Duendo pricing.
So now I have to explain to my finance office that we need to pay for something that we did not pay for before. Is this per application, team, site, or at the enterprise level? We already have a corporate endpoint to authenticate (AuthN) using OIDC. How do I exclude binaries that contain the Duende bits?
Please provide a simple example.
You avoid it by not using one of the templates that includes it. These templates are
SPA with Individual Accoutns
WebApi with Individual Accounts
Blazor WebAssembly with Individual Accounts hosted by ASP.NET
As you already have an OIDC endpoint it’s highly unlikely you’re using any of these templates as your starting point.
You can search for services.AddIdentityServer(); to be sure. Until that line is present we don’t add IdentityServer in any form.
Just buy them. This is pathetic, its an obvious ploy from them for you to buy them. You bought crappy social sites for billions, I am sure you can spare few millions to buy these guys off. Stop embarrassing yourselves by serving as peddlers for commercial 3rd party libraries, giving them preference over others who will now rightfully demand their templates for commercially licensed libraries be included too. Who in the world uses Identity Server for fun so that you keep their templates around for the sake of "free" version? If they want cash they should attract users like all...