In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.
Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.
For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.
For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.
Need to keep the messages simple and clear. Ransomware/hacking etc. are making it difficult/high-risk to operate an online business. ASP.NET wants to be the goto solution for web APIs and backing service for mobile applications. Robust and reliable identity, online authentication and secrecy are foundational features and ASP.NET should have at a minimum a clear path forward to provide this functionality with minimum functionality to provide a viable product, otherwise any time, effort and costs...
Good that article does not mention "framework" once, since (ASP).NET cannot be considered complete framework after this announcement.
We, existing asp.net developers, will have to go along with this decision, but this is a huge setback for otherwise good efforts aimed at attracting new users.
This decision is a great embarrassment for Microsoft unless this was explicitly agreed with Duendo in hopes to increase usage of Azure AD. This would actually explain outrageous Duendo pricing.
So now I have to explain to my finance office that we need to pay for something that we did not pay for before. Is this per application, team, site, or at the enterprise level? We already have a corporate endpoint to authenticate (AuthN) using OIDC. How do I exclude binaries that contain the Duende bits?
Please provide a simple example.
You avoid it by not using one of the templates that includes it. These templates are
SPA with Individual Accoutns
WebApi with Individual Accounts
Blazor WebAssembly with Individual Accounts hosted by ASP.NET
As you already have an OIDC endpoint it's highly unlikely you're using any of these templates as your starting point.
You can search for services.AddIdentityServer(); to be sure. Until that line is present we don't add IdentityServer in any form.
Just buy them. This is pathetic, its an obvious ploy from them for you to buy them. You bought crappy social sites for billions, I am sure you can spare few millions to buy these guys off. Stop embarrassing yourselves by serving as peddlers for commercial 3rd party libraries, giving them preference over others who will now rightfully demand their templates for commercially licensed libraries be included too. Who in the world uses Identity Server...
Personally I think that Open Source is really broken in many ways. Especially big corporations who make billions of revenue per month and use Open Source without giving back anything at all. I was fighting for a year that my client would allow their developer to contribute to Open Source and it never happened. Therefore I totally respect the decision of the identity server team. It is not their fault, but the problem of the...
It's disappointing no doubt ... I never moved to a third party cloud service b/c they always had a cap on the amount of users (not that I have ever hit them) but it was just one more thing to worry about (among all the other thousands of little cuts you deal with while building software apps, desktop app, mobile apps etc.).
I like the idea of having my own database of users and NOT GIVING...
There’s OpenIddict which is open source and doesn’t require a commercial license.
That said it’s my opinion, and I’d always recommend a cloud solution so you don’t have to store your own credentials, as that is a risk should a breach occur. You may feel the benefits outweigh the risks.
OpenIddict is not certified by openid fundation. If I’ve to switch I’ll choosed SimpleIdServer witch is certified for Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP.
A disgusting operation that will only lead to more developers boycotting .NET
“The .NET team are not OAuth and OIDC experts” but Micrsoft has Azure Active Directory (AAD). Did AAD require OAuth and OIDC? Did OAuth and OIDC experts from within Microsoft write AAD or did Microsoft outsource that? Can you not share recourses within the company?
It’s very bad to introduce a charging component into the project template, and the free license of identity server is not loose. I hope you don’t do that.
You said if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. That means this tool will not be production ready, only for development and testing purpose without using internet?
Yes, that would be the idea, to develop and test, before deciding on who you want to choose for an OAuth/OIDC provider.
Do I get it correct, that no production-ready OAuth/OIDC solution will be offered with .NET in the future?
AD/AAD are no real options in several use cases. There exist still systems which are offline or only connected to a small special network, e.g. in manufacturing industry. There each machine needs to have its own identity service provider – and cannot rely to any cloud solution.
That’s correct.