ASP.NET Core 6 and Authentication Servers

Barry Dorrans

In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.

Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.

For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.

52 comments

Discussion is closed. Login to edit/delete existing comments.

  • Сэр Шурф 0

    Good time for Okta, I believe they will get new customers soon

  • Ty Omidi 1

    I disagree with this. An effective trial to a commercial library should not be included.

  • Nicolas Mahieu 1

    I disagree with this
    And I think it’s a really bad idea to put it in the template

  • Darren Grayson 2

    The problem with this is not the commercialisation of it – I have no quarrel with developers who need to make a living – it’s the size of the gap between free and supported. If I go to my boss and say, “hey, that thing we use is now $500” then I could swing that and I’d imagine half of the Devs commenting here would too. But going to $12k a year in one go, that rings alarm bells. And who’s to say it won’t escalate? The pricing doesn’t seem designed to encourage migration, it smacks of a ‘take it or do a lot of rework’ approach. A typical $1m turnover company isn’t making $1m in software licenses, we’re not all cloud SAAS start-ups.

  • Berik Assylbekov 1

    Actually Microsoft wanted to implement own authorization server back in 2018 for .Net 2.2 Roadmap but a lot of people buried this idea referring that IdentityServer should be integrated into templates.

    Every other popular framework (Django, nodejs) has built-in auth modules for REST. And not having for .Net 7 is wrong signal for devs including newcomers.

  • George Gergianakis 1

    Continuing to ship IdentityServer in the default templates is a big mistake. A mistake that rewards bad behaviour/decisions.

  • J. Kramer 1

    First of all: I’m a huge fan of Microsoft (since 1985) and I’m a huge, huge fan of .NET Core / .NET 5+, the last 3 years specially because of Blazor and WASM.

    Although I understand Duende’s decision for the most part, I’m all for developers getting paid for their software, their new licensing terms are for a lot of .NET developers very problematic. I’m using IdentityServer4 for a couple of web apps and when I read the announcement “The Future of IdentityServer” (October 1st 2020) it came as a little bit of a shock, because it’s a big change but I was certain Microsoft would offer a solution in time. I haven’t commented anywhere so far, as I was waiting patiently.

    It’s now May 2021, more than 7 months later and this announcement from Microsoft doesn’t give me a real answer. Instead I’m reading “The .NET team are not OAuth and OIDC experts …“. I’m sorry but I really do not understand these words coming from the biggest(?) software company in the world.

    Authentication & authorization are an essential part of every web app, it’s pretty difficult to get it right and it’s boring, repetitive code for every app you write, and if there’s one thing most important of it, it is that it needs to be updated, stay current as app security is ever changing.

    At the end of the post I’m reading this “For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet.

    For .Net 7“, “investigate” & “if we can“.

    I’m sorry Microsoft. This is certainly not what I expected 7 months after Duende’s announcement. We’re on .NET 5. .NET 6 is planned for November this year.

    The last paragraph of this blogpost worries me and leaves me with more questions on this topic.

  • Ahmed Mohamed Abdel-Razek 0

    just don’t forget to include asp core web api template this time

    and i think identity server should be removed because most developer like most people will just click agree if for anything it will be at least because they know and trust the project

    also a tutorial here or on youtube/msdn on how to migrate to what ever solution you use would be nice

  • ChrisTorng . 0

    You said if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. That means this tool will not be production ready, only for development and testing purpose without using internet?

    • Barry DorransMicrosoft employee 0

      Yes, that would be the idea, to develop and test, before deciding on who you want to choose for an OAuth/OIDC provider.

      • Volker 0

        Do I get it correct, that no production-ready OAuth/OIDC solution will be offered with .NET in the future?
        AD/AAD are no real options in several use cases. There exist still systems which are offline or only connected to a small special network, e.g. in manufacturing industry. There each machine needs to have its own identity service provider – and cannot rely to any cloud solution.

        • Barry DorransMicrosoft employee 0

          That’s correct.

  • 利军 朱 0

    It’s very bad to introduce a charging component into the project template, and the free license of identity server is not loose. I hope you don’t do that.

Feedback usabilla icon