ASP.NET Core 6 and Authentication Servers

Barry Dorrans

Barry

In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.

Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.

For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.

51 comments

Comments are closed. Login to edit/delete your existing comments

  • Avatar
    mahmoud alaskalany

    i have a question

    now i have used identity server in internal network my apps does not have access to internet

    its for internal government organization

    do i have to buy license for it if i upgraded from .net core 3 to 6 ?

    • Avatar
      Waka

      Nope, you’re going to have to license it. Contact Duende and give them $15k.

  • Avatar
    Thomas Levesque

    free for use in commercial settings if the entity or organization makes less than 1 million USD/year

    Interesting, but where does this information come from? It’s not mentioned on the Duende pricing page, as far as I can tell

  • Avatar
    Waka

    I realize they pulled the rug out from under you, but this is pretty weak. You really should just buy them and be done with it. I also realize that’s what they were likely waiting for this whole time, and it’s rewarding bad behavior, but it’s still the best course of action for your users.

  • Avatar
    Vivek D

    Ah was expecting Microsoft to have an equivalent of identityserver for .net 6. Agreed Azure active directory authentication and the one from aws are good but just not as mature and flexible as identityserver. Hopefully .net 7 gets something exciting (or Microsoft just buys them out :D)

  • Avatar
    Patrick

    Microsoft should either buy them or burry them by making a competing product. This is such an abuse of community trust.

    • Walter Lockhart
      Walter Lockhart

      I agree, Patrick.

      Microsoft have chosen to use this component as part of their platform. Therefore, Microsoft should pay the licensing fee, or purchase the company, or build their own competing project.

      • Avatar
        yceron

        I agree with Patrick and Walter. Also, that announcement was in October, Microsoft had more than enough time to try to figure something out. Waiting for maybe .NET 7 shouldn’t be their answer.

    • Avatar
      Alexey Zimarev

      Isn’t it fascinating how people in these comments show complete lack of respect to open source community in general and individual maintainers in particularr,, expecting them work for free, supporting your commercial software that you build, being paid, when they do it in their free time, sacrificing all that we live to call “work-life balance”? All this clearly shows how distinct the “OSS community” is in the .NET world.

  • Avatar
    Márk Polák

    Sorry guys, maybe I am a bit off, is this somehow connected with .net core Identity, or identity server only?

    • Barry Dorrans
      Barry DorransMicrosoft employee

      IdentityServer only.

      ASP.NET Identity will still be there and covered under the .NET BSD license.

      Sorry the names are confusing.

      • Walter Lockhart
        Walter Lockhart

        Hi Barry,

        Can you please confirm if I need to pay a license fee in the scenario below?

        Thanks.

        Regards

        Walter

        Create a new Blazor WebAssembly project with an authentication mechanism:

        After choosing the Blazor WebAssembly App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.

        Select Individual User Accounts with the Store user accounts in-app option to store users within the app using ASP.NET Core’s Identity system.

        Select the ASP.NET Core hosted check box in the Advanced section.

        (taken from: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-5.0&tabs=visual-studio)

        The following package is added to the Server project:

        Microsoft.AspNetCore.ApiAuthorization.IdentityServer

        • Walter Lockhart
          Walter Lockhart

          Hi Barry,

          I would really appreciate a confirmation on this. It really impacts applications I have written for clients, applications I’m currently writing for clients, and how I will write applications in the future.

          I anticipate a number of embarassing conversations with clients this coming Monday morning.

          Regards

          Walter

          • Barry Dorrans
            Barry DorransMicrosoft employee

            Anything that has Microsoft.AspNetCore.ApiAuthorization.IdentityServer will be affected when it’s update to Duende Identity Server.

            Current applications will be supported until .NET 5 is out of support, as that’s how long IdentityServer4 will be supported for.

  • Avatar
    yceron

    I think that continuing to ship IdentityServer in your templates is a big mistake. It will be confusing to most people since it’s from a third party and there’s a license fee required for most real scenarios. The only reason I started using Identity Server for my client’s projects was because Microsoft was a project sponsor (or something along those lines, I don’t remember the exact terminology) and I thought that meant that Identity Server would always be available for free or that at least it would eventually get included as part of the .NET platform.

    I was regretting my decision of using and recommending Identity Server a few months before their team announced they were going commercial when they made a code breaking upgrade to the project and didn’t care to provide an upgrade path and just responded with something along the lines of “someone on the community should figure it out”, that response paired with their mostly hostile responses on the project’s forums made me realize I needed to find another solution. Thankfully I found openiddict core and I’m very happy with it.

    By continuing to include IdentityServer in your templates you will frustrate and confuse new developers and in the end I think that hurts the whole .NET platform brand. Microsoft will look like a reseller for Duende IdentityServer. Why not work with Duende Software and figure out a way to license a version of the software that we could use for free? This would solve everyone’s problems: we as customers won’t feel like the rug was pulled from under us, Microsoft doesn’t frustrate/confuse anyone relying on a third-party commercial product and the IdentityServer team makes some money.

    Just providing us with some “maybe” plans for .NET 7 when .NET 6 isn’t even out and we have a real problem today is very worrying. I think I’m not alone when I say that I’m very disappointed.

    • Avatar
      Vivek D

      The hostile responses were disappointing especially when someone from their team mentioned something like “you shouldn’t rely on free 3rd party for security” in one of their forums and Microsoft had it in their documentation. Probably something to be aware of when using openiddict as well.

  • Avatar
    Андрій Чебукін

    You should have used OpenIddict instead! It is much simpler and powerful… And without such surprises.

  • Avatar
    Alexander Paskhin

    I think the “IdentityServer” should be immediately Removed from project templates and .Net extensions due to the violation by team their Open Source Promises.
    There is no guarantee that they will change their licence again and ask to pay more money.
    I think they fooled and use Microsoft to hook customers and now ripe them.
    Microsoft should ask them to pay money for that.