ASP.NET Core 6 and Authentication Servers

Barry Dorrans

In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.

Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.

For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.

52 comments

Discussion is closed. Login to edit/delete existing comments.

  • mahmoud alaskalany 0

    i have a question

    now i have used identity server in internal network my apps does not have access to internet

    its for internal government organization

    do i have to buy license for it if i upgraded from .net core 3 to 6 ?

    • Waka 0

      Nope, you’re going to have to license it. Contact Duende and give them $15k.

  • Emmanuel Adebiyi 0

    Nice, clear and fair. 🙌🏽

  • Thomas Levesque 0

    free for use in commercial settings if the entity or organization makes less than 1 million USD/year

    Interesting, but where does this information come from? It’s not mentioned on the Duende pricing page, as far as I can tell

    • Waka 0

      Definitely not listed on their site. It’s questionable as I don’t know many companies that would be willing to fork over financials to prove it.

      Honestly, with this behavior, I’ll just pay okta for a more polished solution.

    • Carlos Villegas 0

      It’s in their license document:
      https://duendesoftware.com/license

      But they say “for one year”… I haven’t read the whole document.

  • Waka 0

    I realize they pulled the rug out from under you, but this is pretty weak. You really should just buy them and be done with it. I also realize that’s what they were likely waiting for this whole time, and it’s rewarding bad behavior, but it’s still the best course of action for your users.

  • Vivek D 1

    Ah was expecting Microsoft to have an equivalent of identityserver for .net 6. Agreed Azure active directory authentication and the one from aws are good but just not as mature and flexible as identityserver. Hopefully .net 7 gets something exciting (or Microsoft just buys them out :D)

  • Patrick 0

    Microsoft should either buy them or burry them by making a competing product. This is such an abuse of community trust.

    • Walter Lockhart 0

      I agree, Patrick.

      Microsoft have chosen to use this component as part of their platform. Therefore, Microsoft should pay the licensing fee, or purchase the company, or build their own competing project.

      • yceron 0

        I agree with Patrick and Walter. Also, that announcement was in October, Microsoft had more than enough time to try to figure something out. Waiting for maybe .NET 7 shouldn’t be their answer.

    • Alexey Zimarev 2

      Isn’t it fascinating how people in these comments show complete lack of respect to open source community in general and individual maintainers in particularr,, expecting them work for free, supporting your commercial software that you build, being paid, when they do it in their free time, sacrificing all that we live to call “work-life balance”? All this clearly shows how distinct the “OSS community” is in the .NET world.

  • Márk Polák 0

    Sorry guys, maybe I am a bit off, is this somehow connected with .net core Identity, or identity server only?

    • Walter Lockhart 0

      Hi Mark,

      My understanding (please correct me if I’m wrong) is that when you:

      Create a new Blazor WebAssembly project with an authentication mechanism:
      After choosing the Blazor WebAssembly App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.
      Select Individual User Accounts with the Store user accounts in-app option to store users within the app using ASP.NET Core’s Identity system.
      Select the ASP.NET Core hosted check box in the Advanced section.
      (see https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-5.0&tabs=visual-studio)

      The following package is added to the Server project:

      Microsoft.AspNetCore.ApiAuthorization.IdentityServer

      In the description of the package it states:
      This package was built from the source code at https://github.com/dotnet/aspnetcore/tree/b7a2ec8c7ed6b48857af0a69688a73e8c14fe6cb

      which includes IdentityServer4:

      https://github.com/dotnet/aspnetcore/blob/52eff90fbcfca39b7eb58baad597df6a99a542b0/src/Identity/ApiAuthorization.IdentityServer/src/Microsoft.AspNetCore.ApiAuthorization.IdentityServer.csproj

      Regards

      Walter

    • Barry DorransMicrosoft employee 0

      IdentityServer only.

      ASP.NET Identity will still be there and covered under the .NET BSD license.

      Sorry the names are confusing.

      • Walter Lockhart 0

        Hi Barry,

        Can you please confirm if I need to pay a license fee in the scenario below?

        Thanks.

        Regards

        Walter

        Create a new Blazor WebAssembly project with an authentication mechanism:

        After choosing the Blazor WebAssembly App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.

        Select Individual User Accounts with the Store user accounts in-app option to store users within the app using ASP.NET Core’s Identity system.

        Select the ASP.NET Core hosted check box in the Advanced section.

        (taken from: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-5.0&tabs=visual-studio)

        The following package is added to the Server project:

        Microsoft.AspNetCore.ApiAuthorization.IdentityServer

        • Walter Lockhart 0

          Hi Barry,

          I would really appreciate a confirmation on this. It really impacts applications I have written for clients, applications I’m currently writing for clients, and how I will write applications in the future.

          I anticipate a number of embarassing conversations with clients this coming Monday morning.

          Regards

          Walter

          • Barry DorransMicrosoft employee 0

            Anything that has Microsoft.AspNetCore.ApiAuthorization.IdentityServer will be affected when it’s update to Duende Identity Server.

            Current applications will be supported until .NET 5 is out of support, as that’s how long IdentityServer4 will be supported for.

      • Walter Lockhart 0

        Thanks Barry for clarifying.

  • yceron 2

    I think that continuing to ship IdentityServer in your templates is a big mistake. It will be confusing to most people since it’s from a third party and there’s a license fee required for most real scenarios. The only reason I started using Identity Server for my client’s projects was because Microsoft was a project sponsor (or something along those lines, I don’t remember the exact terminology) and I thought that meant that Identity Server would always be available for free or that at least it would eventually get included as part of the .NET platform.

    I was regretting my decision of using and recommending Identity Server a few months before their team announced they were going commercial when they made a code breaking upgrade to the project and didn’t care to provide an upgrade path and just responded with something along the lines of “someone on the community should figure it out”, that response paired with their mostly hostile responses on the project’s forums made me realize I needed to find another solution. Thankfully I found openiddict core and I’m very happy with it.

    By continuing to include IdentityServer in your templates you will frustrate and confuse new developers and in the end I think that hurts the whole .NET platform brand. Microsoft will look like a reseller for Duende IdentityServer. Why not work with Duende Software and figure out a way to license a version of the software that we could use for free? This would solve everyone’s problems: we as customers won’t feel like the rug was pulled from under us, Microsoft doesn’t frustrate/confuse anyone relying on a third-party commercial product and the IdentityServer team makes some money.

    Just providing us with some “maybe” plans for .NET 7 when .NET 6 isn’t even out and we have a real problem today is very worrying. I think I’m not alone when I say that I’m very disappointed.

    • Vivek D 0

      The hostile responses were disappointing especially when someone from their team mentioned something like “you shouldn’t rely on free 3rd party for security” in one of their forums and Microsoft had it in their documentation. Probably something to be aware of when using openiddict as well.

  • Андрій Чебукін 0

    You should have used OpenIddict instead! It is much simpler and powerful… And without such surprises.

  • Alexander Paskhin 0

    I think the “IdentityServer” should be immediately Removed from project templates and .Net extensions due to the violation by team their Open Source Promises.
    There is no guarantee that they will change their licence again and ask to pay more money.
    I think they fooled and use Microsoft to hook customers and now ripe them.
    Microsoft should ask them to pay money for that.

Feedback usabilla icon