ASP.NET Core 6 and Authentication Servers

Barry

In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.

Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.

For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.

52 comments

Comments are closed. Login to edit/delete your existing comments

  • Guy

    “The .NET team are not OAuth and OIDC experts” but Micrsoft has Azure Active Directory (AAD). Did AAD require OAuth and OIDC? Did OAuth and OIDC experts from within Microsoft write AAD or did Microsoft outsource that? Can you not share recourses within the company?

  • Jiang

    A disgusting operation that will only lead to more developers boycotting .NET

  • rickthehat

    It’s disappointing no doubt … I never moved to a third party cloud service b/c they always had a cap on the amount of users (not that I have ever hit them) but it was just one more thing to worry about (among all the other thousands of little cuts you deal with while building software apps, desktop app, mobile apps etc.).

    I like the idea of having my own database of users and NOT GIVING them up to Okta or other third party companies in the sky.

    Are there any alternatives as an option at this point? I believe I read on their new company site that 3.1 will be supported until Nov 2022 but after that, you’ll have to pay.

    • Barry DorransMicrosoft employee

      There’s OpenIddict which is open source and doesn’t require a commercial license.

      That said it’s my opinion, and I’d always recommend a cloud solution so you don’t have to store your own credentials, as that is a risk should a breach occur. You may feel the benefits outweigh the risks.

      • O. L.

        OpenIddict is not certified by openid fundation. If I’ve to switch I’ll choosed SimpleIdServer witch is certified for Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP.

  • Sebastian Stehle

    Personally I think that Open Source is really broken in many ways. Especially big corporations who make billions of revenue per month and use Open Source without giving back anything at all. I was fighting for a year that my client would allow their developer to contribute to Open Source and it never happened. Therefore I totally respect the decision of the identity server team. It is not their fault, but the problem of the community.

    But the decision that Microsoft made is wrong in my opinion. For a free Open Source project all components should be free as well. If I want to build an Open Source solution based on .NET I cannot got with the identity-server template because I cannot expect my users to buy the license. But building everything by themselves would also be a big mistake. The .Node environment is so successful because there are very great solutions from independent developers which bring innovation to the platform. If Microsoft would just integrate everything it would destroy the platform.

    Why not making the .NET foundation useful? Honestly I have no idea what they are responsible for, but Microsoft makes enough money to support them with a big enough budget to support Open Source projects directly with some funding.

    Give money to the .NET foundation, fund projects and developers and integrate OpenIddict instead of identity server.

  • Mil Yan

    Just buy them. This is pathetic, its an obvious ploy from them for you to buy them. You bought crappy social sites for billions, I am sure you can spare few millions to buy these guys off. Stop embarrassing yourselves by serving as peddlers for commercial 3rd party libraries, giving them preference over others who will now rightfully demand their templates for commercially licensed libraries be included too. Who in the world uses Identity Server for fun so that you keep their templates around for the sake of “free” version? If they want cash they should attract users like all the other commercial library makers.

  • Michael Wells

    So now I have to explain to my finance office that we need to pay for something that we did not pay for before. Is this per application, team, site, or at the enterprise level? We already have a corporate endpoint to authenticate (AuthN) using OIDC. How do I exclude binaries that contain the Duende bits?
    Please provide a simple example.

    • Barry DorransMicrosoft employee

      You avoid it by not using one of the templates that includes it. These templates are

      SPA with Individual Accoutns
      WebApi with Individual Accounts
      Blazor WebAssembly with Individual Accounts hosted by ASP.NET

      As you already have an OIDC endpoint it’s highly unlikely you’re using any of these templates as your starting point.

      You can search for services.AddIdentityServer(); to be sure. Until that line is present we don’t add IdentityServer in any form.

  • Milan

    Good that article does not mention “framework” once, since (ASP).NET cannot be considered complete framework after this announcement.

    We, existing asp.net developers, will have to go along with this decision, but this is a huge setback for otherwise good efforts aimed at attracting new users.

    This decision is a great embarrassment for Microsoft unless this was explicitly agreed with Duendo in hopes to increase usage of Azure AD. This would actually explain outrageous Duendo pricing.

  • Richard Scott

    Need to keep the messages simple and clear. Ransomware/hacking etc. are making it difficult/high-risk to operate an online business. ASP.NET wants to be the goto solution for web APIs and backing service for mobile applications. Robust and reliable identity, online authentication and secrecy are foundational features and ASP.NET should have at a minimum a clear path forward to provide this functionality with minimum functionality to provide a viable product, otherwise any time, effort and costs to learn related technologies and develop products are doomed to be concept demonstrators that don’t generate income.

    We don’t have time to go down dead-ends. More than enough work just keeping up with the shifting development environment and tools and delivering solutions to our customers needs. I have spent decades doing digital security and encryption… it’s not something people want but are forced to have by the growing list of bad-actors stealing others productivity. People do want good healthcare software that can push the leading edge in cardiovascular health, hypertension, diabetes, ways to safely communicate without fear they click a web link and bring vital systems to a halt, etc….

    So what is the technical way forward Microsoft? What are the real world costs ISVs must expect to create useful solutions based on C#/.NET?

    Obviously we all need to make a living…. I am just asking for a clear statement on what is/are the ways forward Microsoft says we should use and what are the true costs of the approach?