ASP.NET Core 6 and Authentication Servers Discussion
blowdart opened this issue · 187 comments
In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.
Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.
For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.
For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.
👀
Ugh, Being one of the many that opted to use Identity Server due to its Open Source nature, it just really feels like a bait and switch especially since the project was included in official templates and used in the official .Net Core documentation. Really wishing I hadn't opted to use it.
and free for use in commercial settings if the entity or organization makes less than 1 million USD/year
Is this true? The wording in their license makes it seem it's only free for one year.
I'm moving my ASP.NET Identity projects to use https://github.com/openiddict/openiddict-core
I'm not a fan of the default project templates using components that have a paid license. The announcement by the IdentityServer team was done in October 2020, I think MS had enough time to replace it by the .NET 6 release.
@DavidZidar they had seen and approved the wording so I presume it's correct.
Clarity could come from @leastprivilege
Is it not possible for Microsoft to provide some continuity for those of us who used the IdentityServer samples in good faith?
I can understand where the developers are coming from, as I've been in the same position myself. You can find yourself doing a lot of unpaid work maintaining a code base, and it doesn't lead to enough consulting revenue to justify it. At the same time, it seems unfortunate to say the least that people who relied on the ASP.NET samples are now in the position of having to pay a third party for a licence. (That is, once the current edition of IdentityServer becomes EOL.)
All that is really needed in my opinion is for any security issues with the IdentityServer4 series to be addressed, and for it it be ported to future releases of .NET. It's fair enough that if you want new functionality, you might have to use a different package with different licensing terms. I can't imagine that it would be a huge expense for Microsoft to take on the maintenance role for IdentityServer4, and perhaps they could even pay the current developers to do so?
As stated we are not authentication experts, we have no expertise in writing or maintaining an authentication server. We have a team at Microsoft dedicated to that, and they produce AAD. The .NET team will not be writing production ready authentication servers, both because of the cost in that and because in doing so it's likely we'll cannibalize users from existing open source projects, something the community was very vocal in wanting us not to do when the initial discussions around IdentityServer inclusion was started.
We explored options around IS4 with no outcome we felt comfortable with.
Templates are meant as a starting point for you to go forward from, and that going forward should include reviewing what authentication options are safest, and best value for you.
Is this true? The wording in their license makes it seem it's only free for one year.
If your company or organization makes less than 1M USD per year then it's free.
I also think it would be better to:
a. remove the sample
b. use openiddict.
nothing against duende, but if they are paid they can also create a easy to use template by themself, no reason to put effort into maintaining it.
@brockallen Thank you for the clarification. Your license is using the wording "for one year" and it is not explained further which is confusing.
Ugh, Being one of the many that opted to use Identity Server due to its Open Source nature, it just really feels like a bait and switch especially since the project was included in official templates and used in the official .Net Core documentation. Really wishing I hadn't opted to use it.
I think you're conflating "Open Source" with "free". I have several quite popular OSS projects, and I do next to zero work on these for free. If one of my projects dies, it's because no one wants to pay for me to maintain it. I suppose that's a form of bait and switch, but I'm not doing free work for people. If you want these OSS projects to survive/thrive, I suggest you find a way for your place of employment to support these projects financially.
For .NET 7 we investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet.
I've been searching for a long time for a lightweight .NET solution providing this kind of service. In Nodejs land, I'm relying on oauth2-mock-server which is pretty interesting from an automated test standpoint, especially in the way it allows to dynamically tweak the auth server behavior.
@blowdart Is there an issue tracking this OIDC dev/test tooling investigation to which I could subscribe to?
@brockallen Thank you for the clarification. Your license is using the wording "for one year" and it is not explained further which is confusing.
Sure, then you renew the license and if you're still under 1M/year you can still use it for free. Hope that helps.
@nulltoken Not yet, planning for 7 hasn;t even started :)
@schmitch I'm afraid the decision is made. We are sticking with IdentityServer. We won't be removing samples, or switching to OpenIddict. Of course the community is free to make its own templates around OpenIddict if you don't like what they provide.
Community Edition
For small companies or individuals with less than $1M USD in annual revenue, free for fewer than 5 clients.
We are a small company from Argentina, the limit of $1M USD is fine, but "5 clients" 😞
For our own projects we are using Auth0, its free offer suits our needs, but we have small customers that can't afford the costs.
For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version
If you want but you must warn the user that to use it in production it will need to pay 1500 usd by year. I assume default template cannot contain paying solution. And i'm pretty sure i'm far from being alone.
The .NET team will not be writing production ready authentication servers, both because of the cost in that and because in doing so it's likely we'll cannibalize users from existing open source projects
we'll cannibalize users from existing open source projects
What are the other existing Open Source projects you fear to canibalize. I fear i know none.
The only solution i found are :
- (Auth0) cost less.
- https://docs.wso2.com/display/IS530/Logging+in+to+a+.NET+application+using+the+Identity+Server
- https://github.com/keycloak/keycloak
But it won't hurt the community since it's not .Net and most are not real OSS.
we are not authentication experts, we have no expertise in writing or maintaining an authentication server.
And i agree with you on the fact it's a project quite complex since it need to have specific expert to maintained. That why they can make you pay 1500 + 300 * UserCount usd by year. Because they no there will not be any other solution for those who been bait.
What i found funny is that for Json serializer you hire the Author. So there is a solution...
As for money you have ReactUI model that seems to work for years.
I think you're conflating "Open Source" with "free".
Maybe but i remember when i start programing before dotnet core before DNX back in 2010 i read a post about .Net framework being openSource just because there where a few file on a web site. Well the community did not consider .Net framework open Source and i still don't. It's free there some file publish. But it's not open source if you are not really open source.
So why would i consider Duende Open Source since there is part that are close source and can bring me harm. And i'm not able to fork the project if some thinks happened to the main project... Some thinks has happen an OSS project now to the community to find a way to fork and maintain what remain.
I have several quite popular OSS projects, and I do next to zero work on these for free. If one of my projects dies, it's because no one wants to pay for me to maintain it. I suppose that's a form of bait and switch, but I'm not doing free work for people.
Yes and there is several solution to get payed. ReactUI lived for years. And even if they are coupled with MS as i understand they are not financed by it. And use a lot of way to be financed.
There also way to do thinks. There is a huge gap between Free and 12000 usd by year. 1500 by year alone is more than VS and azure/AWS and CI budget on most team i know (Small project but it's also the minimum price).
I'm afraid the decision is made.
Sorry i thougth this issue was intended to discuss a subject. Are you saying we are not allow to talk. I understand the decision was made but the point of us (At least for me) to respond is to make sure you understand that we do not take the fact lightly and it's a really important lost and we hoped to find a solution together. Personnaly i don't ask for you to make an identity server from scratch or even to support it alone. But there is other solution like :
- a partenaria with keycloak (I never used keycloak but from what i see it's the only OSS solution supported now).
- Or make the project has a side project with a way to earn enougth to pay for the maintenance....
- Document to help us implement a solution for small project (project where 1500 usd is actually too much)
One of the reason why .Net framework was not consider Open source was not only because there were not all the file. But also because you cannot discuss to find other solution. To me communication is the point of open source.
Sorry it was a bit long response.
@GeraudFabien When I say the decision is made I mean you are free to discuss it, but discussion will not change the decision. Microsoft has an identity solution in AAD, which is free for up to 500,000 objects, and that's where the specialists are. We in .NET provide frameworks for you to build solutions on.
The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.
IdentityServer gives an f5 runnable scenario which is something the community tells us is important. The licensing for commercial use hopefully makes it a sustainable open-source project too.
The licensing for commercial use hopefully makes it a sustainable open-source project too.
it isn't open source.
IdentityServer gives an f5 runnable scenario which is something the community tells us is important
openiddict, is too.
The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.
yes, but you should also not promote the one which is not open source (especially if there are two)
When I say the decision is made I mean you are free to discuss it, but discussion will not change the decision
uf that is a clear stance, on something so simple as a template, which can easily transfered to duende and they can easily provide a simple way to install them, like dotvvm does (also commerical, at least some parts).
The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.
As i say that not what i ask. I just ask for a solution and a documentation for smaller project that can't use this solution. Awesome dotnet doesn't have other solution. So what solution is there to have a server.
And that also why the fact to use it on the template is also a bad idea since the template is also use has base for small project.
@schmitch isn't openiddict only a client? From my souvenir it didn't do server.
RPL licensed code is accepted as an open source license.
Of course, the community is also free to fork IdentityServer4 and continue to patch it, but we wouldn't switch to magically.
As for moving a template to Duende, sure, that's possible, but then you end up with no spa authentication templates, or webapi authentication templates at all, as, like I said, we're not using another server, so your solution would mean no templates until you take a guesture, which makes it hard to discover.
RPL licensed code is accepted as an open source license.
their licens is not the RPL. their license is:
If you wish to evaluate or use the Duende™ software libraries in a Non-Commercial Manner*, you may download and access the source and/or binaries at no charge under the Reciprocal Public License 1.5 (RPL-1.5)(the “RPL”);
- No Discrimination Against Persons or Groups
The license must not discriminate against any person or group of persons.- No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
@GeraudFabien it's a server, a client would be identitymodel
@GeraudFabien You don't have to use templates which include IdentityServer, unless you need a server, and for most users, a server isn't necessary.
OpenIddict is both client and server should you wish a server free of licensing fees for commercial use.
https://opensource.org/licenses/MS-PL also. Again all the project must be under this licence to be truly open source wich is not the case. Since as far i understand at least the licensing system will not be open source. So it's not open source.
@schmitch Then you should take that distinction up with OSI and see if they agree.
Ok thanks. I'll definitly check it later
Then you should take that distinction up with OSI and see if they agree.
@blowdart they did many times, with the sspl. https://opensource.org/node/1099
The SSPL is not the RPL.
You should direct this line of questioning to Duende.
They do not use the RPL. If I make a project and say "Apache License, but Microsoft needs a Commerical license" it's not the Apache License anymore.
To clarify it, itext is open source, since you can stick to the agpl even in a commerical manner. the same goes with the rpl, but since they explicitly say "If you wish to evaluate or use the Duende™ software libraries in a Non-Commercial Manner*, you may download and access the source and/or binaries at no charge under the Reciprocal Public License 1.5 (RPL-1.5)(the “RPL”);" they restrict commerical usage, even if you share your commerical program.
In research (especially fundamental science) you do a lot of work for free, not counting endless hours because you do love what you do in the sense that your goal is to solve the problem at hand rather than getting paid by dropping from your lab at 5pm. And the system does not pay you, too little.
What @brockallen and @leastprivilege did with identityserver and as also evidenced by the quality of their talks is evidence of the mindset of doing good work before thinking cash. I understand their choice and can imagine their struggles to decide to monetize the product sooner or later and I think they have been through patreon before. The difficulty they faced, I believe, is the scaling of the product because identityserver does not gather enough donators as the wikipedia, and consulting is paid by the hour and you cannot work more than 24 hours a day, so you are capped anyway.
I understand their choice and wish them good luck. I am not sure, though, that the licensing model is best for them and the community.
Good luck
In research (especially fundamental science) you do a lot of work for free, not counting endless hours because you do love what you do in the sense that your goal is to solve the problem at hand rather than getting paid by dropping from your lab at 5pm. And the system does not pay you, too little.
What @brockallen and @leastprivilege did with identityserver and as also evidenced by the quality of their talks is evidence of the mindset of doing good work before thinking cash. I understand their choice and can imagine their struggles to decide to monetize the product sooner or later and I think they have been through patreon before. The difficulty they faced, I believe, is the scaling of the product because identityserver does not gather enough donators as the wikipedia, and consulting is paid by the hour and you cannot work more than 24 hours a day, so you are capped anyway.
I understand their choice and wish them good luck. I am not sure, though, that the licensing model is best for them and the community.
Good luck
What would be a better model? Without massive capital, it's not sustainable. Someone has to pay for this time to build a solution for such a complex problem.
The templates are just preset examples to start from. They're not guaranteed to scale up for every scenario for free. Obviously you still have to pay for the servers your code runs on, and it would be the same for any software components used. The IdentityServer team has provided an incredible amount of work to the community over the years and it's completely fair for them to license their products to make sure it's sustainable.
Here are the options I see:
-
If you're project is small or open-source then the license is free. If you just want to use it for testing then it's also free. You only have to pay once you get to a certain revenue threshold which should be enough to support that cost.
-
If you still don't want to deal with the license then there are several other .NET projects like OpenIddict or in other language stacks like Ory.
-
There are also many managed options that are incredibly cheap, scale with usage, and remove the need to manage a server entirely. Are you sure you need your own auth server?
That should cover just about everyone. We really don't need another authentication server project from the MS team because it'll be duplicating work, missing features and taking resources away from other projects. There was serious pushback on this in the last discussion for good reason.
So considering all this, is there a real example of someone running into a license issue that they can't overcome?
@jbogard, it is hard to give a number because I do not know how many paying customers the identity server people have and how much their net income is.
But if I assume (bear with me for my ignorance on the numbers!) that they have 100 customers per year that gives roughly 250k USD for a mixture of dominantly starter edition and some business license. Less expenses (code maintance etc). So MS could buy them out at with a 5 years return, which means at 1,250,000 USD. Then MS puts it back as with the old license and still open source and streamlines the code and knowledge into Azure AAD including B2C. They would then leverage the massive amount of customers in Azure to amortize their investment quickly. For example, I am using Azure B2C and paying for it. If you ask us to pay, say, 50 USD more than the usual B2C bill, per year, then after 25,000 customers like us MS has a return on investement. And 50 USD per year is ok for many.
Every party will win, the founders of identity server (cash in one shot), the community already using identity server and who do not want a constraint and azure by improving their auth while engaging more with open source.
But I work on neither companies! :)
@GeraudFabien You don't have to use templates which include IdentityServer, unless you need a server, and for most users, a server isn't necessary.
OpenIddict is both client and server should you wish a server free of licensing fees for commercial use.
@blowdart , just to understand what you said. I don't think that using a server is synonym of having identity server in the templates. Correct or I missed a few years of code? I think that the following templates do not use identity server and will never
-blazor wasm, hosted, with b2c or aad
-razor pages with b2c or aad
-perhaps others
Correct?
Correct. We may add it to more as an alternative to aad in, for example, blazor, but aad would probably be the first choice.
@manigandham the licensing issue for us is that we now have to find developer time to remove IdentityServer from our stack. You're right that there are alternatives, and if we were starting from scratch we'd build on one of those, but we're not in that position.
The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.
Linking issues for additional context,
Here's the original ASP.NET Core 2.2 Roadmap.
Authorization Server
One of the largest gaps we’ve had has been around authorization for applications beyond a simple forms based login. We plan to fill that gap with a simple to use OpenID Connect based authorization server, which will allow your ASP.NET application to act as an authentication point for your projects, be they web site to API, SPA to API, native application to an API or, for distributed applications API to API. As we are concentrating on first party applications we can make the code you need to plumb in trivial, getting as close to zero configuration as you can, we’re not aiming to replace the excellent third-party solutions out there which enable richer scenarios like third-party applications or which provide a flexibility in configuration and authentication flow.
aspnet/Announcements#307
...and the feedback from community.
#3265
Yes but the community was against because it could kill other community project. Today there is not community project so conversation could be re-open.
Identity server was the main argument. Now it's dead the situation change.
That why they can make you pay 1500 + 300 * UserCount usd by year
I think you are misunderstanding the word “client” in the IdentityServer pricing. Client refers to OAuth clients, i.e. an application that is registered with the server and can authenticate the user. I do not believe that there is any kind of user restriction in the Duende licensing, probably because IdSrv doesn’t actually care about users.
1500 by year alone is more than VS and azure/AWS and CI budget on most team i know
That sounds odd considering that VS Professional is already $500 per year per person. A IdentityServer license is probably not that much of an issue as you think it is. And if you have such a small team already, I would suggest you to actually rethink if you even need your own authentication server. Chances are that you shouldn’t roll your own anyway.
But there is other solution like :
- a partenaria with keycloak (I never used keycloak but from what i see it's the only OSS solution supported now).
There is no need for a partnership since there doesn’t actually need to be any kind of connection between these. Just install KeyCloak (or set up any other authentication provider really), and configure it according to their documentation. And then follow the ASP.NET Core documentation and configure OpenID Connect or JwtBearer authentication. That way you can have your app authenticate with almost any other authentication provider, that being IdentityServer, KeyCloak, AAD, Auth0, Google, whatever.
IdentityServer being integrated within ASP.NET Core is a particular detail that is very likely overkill for most people.
- Document to help us implement a solution for small project (project where 1500 usd is actually too much)
If $1500 is already too much for you, then chances are that the special licensing terms with the Community Edition of IdentityServer would be good enough for you.
Today there is not community project so conversation could be re-open. Identity server was the main argument. Now it's dead the situation change.
That is just wrong. The other popular alternative OpenIddict was already around during the last discussion, and it is still around now. So you can pick that now, if you are having troubles adopting IdentityServer’s new licensing terms.
But IdentityServer is neither dead nor is it no longer a community project.
So MS could buy them out at with a 5 years return, which means at 1,250,000 USD.
Suggesting that MS should just buy them is a very bad take and would actually hurt the .NET ecosystem very much. The community is already struggling a lot trying to make OSS sustainable. Having Duende succeed here would actually show that we as a community are able to establish sustainable OSS projects. We need more projects like IdentityServer and ImageSharp to normalize paying for the labor of others when companies use it to earn money.
the licensing issue for us is that we now have to find developer time to remove IdentityServer from our stack.
Is the dev time less than the cost of the license? Have you checked if you qualify for the free community license? Do you need to host your own server?
Identity server was the main argument. Now it's dead the situation change.
IdentityServer is not dead, it just requires a commercial license. I already listed several other options. OpenIddict has been mentioned several times in this thread alone, have you tried looking at that yet?
Is the dev time less than the cost of the license?
Or indeed the value of the time spent complaining about it. I've observed a tendency for developers to undervalue their own time.
@poke, I prefer to be more pragmatic. Today you won't make money with software, OSS or not. More pragmatically, libraries or framework that you attach to other code, etc. With all my respect, I am convinced this will lead nowhere, and as you point out this seems to be the case, that the community is struggling. Indeed, many among this very same community will not pay for the license as seen in this thread and elsewhere. So there is no community actually.
My proposal was a first-reaction proposal and albeit being first-reaction I do believe it a better way than to "spin-off" a company based on a framework. In my opinion it is too late, but again with all my respect to the authors. That is why, in my opinion, a buyout is better. I had to deal with few company sales and buyouts and manytimes it is better to exit and get the cash and turn the page rather than trying to either keep running such that they can at least pay themselves or to surpass their sales expectations with a "new direction" , Duende.
But again, I was not aware of this story until I received @blowdart message on my inbox and where Brock and Dominik made the decision, and also it is not my business unless they need advice, but I believe it is too late now, the company is formed and, well, perhaps, it will work for them and MS is decided. And I hope because it always pisses me off to see people work hard and provide good quality while their financial recognition is left behind. But I won't bet on your hope, certainly not.
Today you won't make money with software, OSS or not.
Uhm, what? I do earn money by building software. And I utilize a lot of open source libraries as a way to save my own time.
So I am personally very happy to see more maintainers moving to a paid model. This means that it will be easier for me to argue to both my employer and my customers that we should give back money to those maintainers. Simply because there’s no way around it. And it won’t actually be a problem them because the time it would cost me to build (=learn, build, maintain, support and documentation) this from scratch would cost them way more.
@poke, what I meant is that software business is not the same as it was and it will not improve, especially for old topics. Stuff will get standardized etc, but again that is not the discussion here, it is their problem. For the rest the buy out would have the same advantage. MS is a mature enterprise and they have hard working and intelligent coders and part of this is reflected in their share price. Anyway, let's close this discussion because I do not think either party (MS or IDSRV) are looking for solutions.
Javascript is free to you because you pay elsewhere, but the recipent of your money is a behamoth. That is what I was trying to convey, in a nutshell. Perhaps Javascript should become paid, and so everyone will run out and find alternatives :):). Then C++ will shime in, followed by Rust, etc.
@blowdart, Sorry to all if my clarity is supposed to be obvious. But in-case others read this, can you confirm if you have no IdentityServer includes in any of your csproj files you are unaffected by this?
Lets look at the obvious person on the street following instructions on how to add authentication to an app. Lets say they scaffold identity and/or use Microsoft.Bearer.Jwt. Any of these projects are not affected by this decision correct? My confusion stems from the fact that you say:
we have no expertise in writing or maintaining an authentication server. We have a team at Microsoft dedicated to that, and they produce AAD. The .NET team will not be writing production ready authentication servers
I just want to clear it up for everyone and myself that we are not talking of internal Authentication and Authorisation measures (OWIN, IdentityModel), but a standalone SSO enabled separate service that it's sole responsibility is authentication and not servicing data-consumption API end-points or Razor Pages or MVC Views and Controllers.
I think there's a lot of confusion about the licensing because of confusing word choice in the Duende annoucement, emphasis mine.
This new product will remain open source but will be offered with a dual license (RPL and commercial). The RPL (reciprocal public license) keeps Duende IdentityServer free if you are also doing free open source work. If you are using Duende IdentityServer in a commercial scenario, then a commercial license will be required.
This is confusing because it conflates the idea that a commercial scenario is not open source. Not to put words in their mouths, but what I think they intended to mean is if you are using Duende Identity Server in a commercial product, you must disclose your improvements or derivative work that includes Identity Server as that is specified by the terms of the RPL.
For some background, the RPL is similar to the AGPL in that it has the reciprocal nature of the GPL, but closes the "loophole" that lets people use GPL without distributing their modifications and derivations when hosting the software as opposed to "distributing" it.
However, RPL code CAN be used in a commercial product. Whether a product is commercial or not is orthogonal to whether its open source or not. Identity Server is an example of this.
The text of the RPL has no commercial restriction, nor could it because it would not fit in the OSI definition as @schmitch noted. Also, TLDRLegal agrees.
The restriction is you can't host modifications or a derivative work of the RPL without releasing the source, which may not be appealing to many commercial projects, but isn't a restriction on commercial use.
If I'm wrong, and Duende is indeed adding an additional commercial use restriction to its RPL license, then they aren't really releasing it under the RPL and would not fit the Open Source Definition. In particular clause 6 which states:
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
And clause 7.
The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.
An additional commercial restriction would violate 6 and prevent licensors from 7.
@Wayne-Mather if you don't have identity server in any of your projects you are unaffected. If you're just using the JWT middleware you're unaffected. If you just use ASP.NET Identity for forms based auth you're unaffected. If you use AAD/organizational auth you are unaffected.
It only comes into play in .NET 5 templates when you choose individual authentication in SPA projects (ASP.NET Core with React.js, ASP.Net Core with Angular) or a Blazor WebAssembly app where you choose individual authentication and asp.net hosted.
Only projects you create that has the Microsoft.AspNetCore.ApiAuthorization.Identity package in it will be affected. or of course any you add IdentityServer to yourself.
@blowdart Understand, and also which package also includes those dependencies.
However, you say .NET 5, but I think you mean .NET 5 and earlier? SPA templates were introduced on the old v2 train I believe?
I guess the .NET 5 to .NET 6 upgrade document will contain the required information as I understand the SPA templates are getting an overhaul (may even be available in current preview).
Thank you for confirming my suspicions and making it clearer to any one else following this thread.
Ah yes, true. OK, in 3.1 templates it's SPA with individual auth. In 5 we added Blazor server side, asp.net hosted.
it just requires a commercial license. I already listed several other options if you don't want to use it. OpenIddict has been mentioned several times in this thread alone, have you tried looking at that yet?
You don't have to use templates which include IdentityServer, unless you need a server
I sayed before that i will look at it. But the fact that the team prefer to still use IdentityServer inside the template instead of openIddict even after IdentityServer "died" show what they thinks about it.
I really don't understand the idea behind using IdentityServer in the template if OpenIddict is a solution. And i really thinks i'm not alone
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/#comment-3268
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/comment-page-2/#comment-3270
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/comment-page-2/#comment-3272
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/comment-page-2/#comment-3274
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/comment-page-2/#comment-3280
- https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/comment-page-2/#comment-3282
A template contain what's needed for the most basic application. Why don't they use Oppeniddict server if it's better suited for small project?
I think you are misunderstanding the word “client” in the IdentityServer pricing.
Have you try microservice lately. Except if i was doing it wrongly but all my server consumer were client. I agree with you on the fact i use the wrong term by user i mean server. I don't check my message enough. I have tried to answer quickly sorry.
That sounds odd considering that VS Professional is already $500 per year per person
Yes so there still 1000$ to spend on CI by year. Last time i check 200 is more than enough and the remaining 800$ cover the guy to configure it and eventual problem or overuse.
There is no need for a partnership since there doesn’t actually need to be any kind of connection between these.
It was an example to picture a different way of thinking than not exposed in the current thread. I didn't thinks it was a great idea either. And by partenaria i mean making it clear in the doc and using them in the template.
If $1500 is already too much for you, then chances are that the special licensing terms with the Community Edition of IdentityServer would be good enough for you.
I work on very small project in a big enterprise...
It's very complex for us to use a project even if the cost was 1$. Because we make it but we don't necessary run it. It change the term with the client. And it's hard to sell. In fact the price is not the problem. It's the fact that it has a recursive one that is. If the price was pay once and the client has nothings to do. We can do it. But we can't have anything in our dev that ask a licensing server or a recurrent pricing. Whatever the price is. We tried once it was a nightmare.
So I am personally very happy to see more maintainers moving to a paid model. This means that it will be easier for me to argue to both my employer and my customers that we should give back money to those maintainers. Simply because there’s no way around it. And it won’t actually be a problem them because the time it would cost me to build (=learn, build, maintain, support and documentation) this from scratch would cost them way more.
When you use a paying solution you have to adapt your whole environment to manage licensing (Track licensing, open your network to the licensing server, adapt the contract with you're client and potentially the client of the client, ...). The solution you payed for can died and since the license lock you to make modification if you have a lot of project that depend on this you will lost a lot. With free open source you gain the license but also gain the ability to depend on the solution without care. That why i look for MIT or apache2 solution. Eventually use BSD and GPL-2 when i can't find a better solution. But all other solution are a no go to me and I prefer remake than use them. Firstly because I'm not a lawyer and a lot are really hard to understand. But also because the potential impact are hard to anticipate.
I believe you're employer will prefer payed 10 time more and be sure that he has control to the life of the solution and impact of the license.
Also i want to say that a lot of you said that the team didn't earn a penny for Identity Server. They used to have some payed "plugin" (I don't thinks it's the right term) to connect to the Active Directory and for SAML... And offer some paying support for big customer. They earn $9,000 per year for each without counting support and plugin.
They never even tried solution like ReactUI do. If in a few day ReactUI saied they stop free solution i would understand.
I believe you're employer will prefer payed 10 time more and be sure that he has control to the life of the solution and impact of the license.
Absolutely not.
A public vetted solution will always win over a selfmade attempt in an authentication context. If you believe otherwise, then you are heavily underestimating the complexity involved with authentication.
And having a commercial option here is even preferred because you get commercial support for it. That's usually a very valuable benefit, especially to larger businesses.
But we can't have anything in our dev that ask a licensing server or a recurrent pricing. Whatever the price is. We tried once it was a nightmare.
Then good luck considering everything is already moving to subscription models…
They earn $9,000 per year for each without counting support and plugin.
I don't understand. Are you arguing that this is… a lot?! Because it is really low, considering the work that goes into the project. And that money came only from donations, from 75 entities. Great.
But sure, continue benefitting from other's work in your big enterprise, and keep on complaining once they ask for anything back.
open your network to the licensing server
Duende IdentityServer does not use a licensing server, nor does it disable your application in any way if you are violating the license.
They used to have some payed "plugin" (I don't thinks it's the right term) to connect to the Active Directory and for SAML... And offer some paying support for big customer. They earn $9,000 per year for each without counting support and plugin.
Those plugins are not from Duende -- they are from a different company and are not produced or sold by us.
IdentityServer is a valuable project. It's ridiculous to say they can't charge, or earn enough, or demand that Microsoft acquire them to give it away. Multiple alternatives have been suggested if you need to switch though, or you could try contacting the Duende team and work out a deal.
I understand changes are difficult but if your "big enterprise" can't pay, won't deal with client billing, or just wants free software than that's something you need to discuss within your own organization, not the community. None of us here can help with that and it doesn't really seem relevant to project templates anymore.
Re this issue: Perhaps we can resolve this with some community templates or blog posts on how to setup and migrate to OpenIddict for those that need it.
It does not help to take on a passionate and a condescendent tone to whoever is expressing an opinion which does not fit yours (whoever you are), whether here or on twitter.
@blowdart , are you looking for feedback, and if so what kind?
Good day to all
@Ponant Well, like I say the decision is made here for 6. We're reading the reactions, but the decision won't change.
When we start to plan for 7 we ask for feedback on the concept and implementation of a development/test server.
After reading this thread, there seems to be a few different complaints here:
- People saying that IdentityServer switching to a different license equals bait and switch
I find this perspective a bit odd. Apache license (which IS4 uses) states that there is no implicit warranty provided to the consumers of the software:
You were never entitled to free support to begin with. IdentityServer switching to a more sustainable license is not a sign of maintainers reneging on their (non-existing) commitment.
A better way to look at it is there were very likely two options: IdentityServer ceasing to exist altogether -or- continuing to exist under a different licensing model. Sure, the project may have started out of passion and drive to create something great, but it has been around for many years and passion doesn't really pay the bills. You can't blame someone for no longer wanting to do something under the same conditions as before for enacting "bait and switch" tactics. People get bored, burnt out, and--as mentioned earlier--nobody is under any obligation to anyone. If you really dislike the move to a new license, then pretend the project stopped at IS4 with no new versions coming out. There are companies sitting on .NET 3.5 in production, using software from 10 years ago, relying on packages that haven't been updated in years -- I really have a hard time believing that this would be an issue.
Note, IS is not the only software that's licensed under RPL. NServiceBus, which your company is very likely using too, is RPL as well.
- People saying that IdentityServer should not be included in the default templates
I don't think that a piece of software is required to be licensed under an FSF-approved license to be included in a template. Azure services, which are included in many .NET templates, are not free and are not even open source.
Including a template using openiddict, on the other hand, could be a good idea. No reason to replace one with another, having multiple options is better. I don't know if the templates themselves are open source, but if there are then maybe someone can submit a PR to add one that relies on openiddict.
I'm going to state the obvious since nobody seems to do it:
Microsoft does not need to ship every thing.
They don't need to ship IdentityServer or any other OpenID Connect OSS solution which is out of their own hands.
Just ship your own templates.
It's not that hard. You develop your own shit and you ship your own templates for it.
Others make their own shit and they will ship the templates for it.
The community decides which projects they like and will promote it amongst themselves. Some will go with IdentityServer, some will go with something else, some will roll their own. Why the fuck does Microsoft care?
They only care because they want to be in control and really starts to piss me off.
Nobody will feel to be "bait and switched" if they actively download the IdentityServer templates themselves and use it.
Microsoft doesn't have to write documentation and official guides on how to use a third party library which is out of their own hands. Just let the OSS community do their own thing. Don't get involved. What is so goddamn hard to understand about this?
EDIT:
Of course, in case people don't get it yet, this is just step one in a 3 step approach for Microsoft to justify to write their own Identity Server competitor and then drop it on the community with .NET 7/8 and then point their finger at "discussions" like these in order to not look like absolute dicks. Otherwise what's the point of starting a discussion for something which cannot be discussed anymore because it's set in stone anyway.
"@blowdart" > @schmitch I'm afraid the decision is made. We are sticking with IdentityServer. We won't be removing samples, or switching to OpenIddict. Of course the community is free to make its own templates around OpenIddict if you don't like what they provide.
If I'm correct, this is the first official statement from Microsoft about the future of IdentityServer & Microsoft since Duende's announcement 7 months ago. So I ask myself: "I'm afraid the decision is made" is based on what input since then?
Reading over the comments and seeing the Microsoft point of view it really doesn't make sense for M$ to create an open source competitor to their subscription based authentication product. The templates are more of a quick start and it's nice that they don't make you use the subscription based product to try them out so not taking the time to find a different solution makes sense so long as they are very explicit about the license having changed and it being out of their control.
On the IdentityServer side I guess it still works and is supported. Nothing is stopping the community from forking the current version either now or when it comes close to it's EOL, which would be nice to see.
A statement of the obvious @dustinmoris is that your vehement logic excludes Microsoft from the community. Your paragraph which concludes with the question why Microsoft cares is flawed because Microsoft's people are part of the community. As part of the community, they did promote another community project, just like you suggested. They did because people asked for it and because it complemented their AAD cloud offering. Otherwise, I agree that they do not need to include everything. One reason being it gets hard to maintain. A second reason being any reason you can think of, but there is no need to always see the "obvious” evil. On the contrary, I often find it offending to see members of the “community” popping up in issues like children and asking MS fix this and that in aggressive and threatening way, as if MS is at their service. This, too, must stop, right?
A bon entendeur salut. (send a token to openiddict for a proper translation because I do not succeed)
Nah, Microsoft is the dictator of .NET. They control it, they run it, they develop it and they make 100% of all decisions (rightly so, it's their product after all). Community projects is the only thing left which a community can manage themselves and Microsoft trying to control that as well is an act of aggression. Microsoft has been trying to control the .NET OSS community on every level and it starts to feel extremely unhealthy. Someone at Microsoft who drives these efforts has a real problem. It's like an aggressive partner trying to control their wife/husband in an unhealthy relationship. Take the .NET maturity ladder for an example. It's just an absolute sick idea for Microsoft trying to control every little bit around a community which should be free to do what they want and let things grow and mature organically. Community OSS projects should get grow and get promoted organically through the community and not a dictator.
This whole saga has likely been super cringe to people observing from other FOSS communities.
An issue the .Net FOSS ecosystem has in general, that's a huge turnoff to those who would otherwise be excited about the possibilities of FOSS .Net, is that there is still a hold-out culture of trying to carve out parts of the ecosystem and sell it back to the community. I'm not passing judgement on any individuals trying to get paid. But as long as the community doesn't have serious contributions from sources that are using the bits to build higher-level products and services, instead of from those trying to sell framework code, the FOSS ecosystem is going to seem very unhealthy.
This is a community project lead by Microsoft? So Microsoft is part of the community. The separation created between Microsoft "having made its decision" and "the community can do what they want" is weird. The community has a shared interest in promoting the use of ASP.NET, increasing contributions, and maturing the ecosystem.
To that end I think the community has a right to be concerned about what's in the getting started templates. A hosted Blazor WASM app can be configured in such a way as to not require an identity server.. The inclusion of identityserver in the templates AND documentation(with broken links last I checked) causes no end of confusion to people trying to get going with ASP.NET. This comment makes it seem like a crutch that's being leaned on instead of providing better identity documentation..
With that said, the decision not to revamp the templates smells funny. Identity server is no longer going to be FOSS. This is a FOSS project right? The issue section shouldn't be filled with discussions on the finer points of the new license, the pricing, or people trying to drum up clients by running pre-sales support..
Duende's product (IdentityServer5) must not be included in default .Net templates. Having Microsoft products included (like Azure) make sense as Microsoft is the professional maintainer of the template (and .Net in general), but Duende's paid product (with extremely limited community licence, imagine that Visual studio community would be limited to 4 apps!) have no right nor reason to be in.
Either you keep IdentityServer4 in the template (the EOL isn't clear, some say February, other October, in and out it's in a year so many thing can change before that, like a community fork), or you put-in another one (like a OrchardCore.OpenID based on OpenIddict), or you just drop it and leave only Azure. Each choice have it's cons, but they make sense. Including Duende's product in .Net6 template make none.
I fully respect the maintainer decision to make a business but they leaved the FOSS .Net community and Microsoft must acknowledge their decision and act upon. Ignoring that is disrespectful of your community @blowdart.
I agree with the sentiment that it is the choice of a maintainer to start charging for their software, but that I don't think that this library should be integrated in the default template or the default setup experience when there is a need for an additional license.
My expectation is, that they give me a jump start from where I can develop a project. If I have to start worrying about having to buy additional licenses when starting a project from there that kinda defeats the purpose. Yes I know that there is a community license. But for example I write software for customers and I don't know their financial numbers nor could I monitor if they at any given point be over that limit.
This is not just going to go away. This library has almost 5 million downloads, and god knows how many implementations in the wild, and most of the code using this is not high end corporate. This is a real problem, and MS dropped the ball here. If something is part of .NET Foundation, then it needs to be available. Let me quote "The .NET Foundation is an independent, non-profit organization established to support an innovative, commercially friendly, open-source ecosystem around the .NET platform." RPL is not open source, at least not in the MIT/Apache kind of way, its a reduced GPL3 type of situation.
To reiterate what I said in the other issue, MS should just buy Duande, provide developers with source of revenue (salary) and bring IS back to stated .NET Foundation mission. OAuth is a key piece of internet security infrastructure today and if there has ever been a more glaring "this is a feature, not a product", this is it. I see no problem with "community’s well-expressed desire that we did not compete with an established open-source project" as long as license is permissive, its just a weak excuse.
@the-black-wolf To reiterate what I said on the other issue - that just promotes subsidising OSS and developers continuing the sense of entitlement that they should get stuff for free, while at the same time charge for the work they do. Btw, Open Source is Open Source. Don't confuse that with Free, which is different.
If something is part of .NET Foundation, then it needs to be available.
As I understand it IdenityServer is still part of the .NET Foundation and IdentityServer/IdentityServer4 remains Apache-2.0 License.
There is another product/fork which is DuendeSoftware/IdentityServer which starts at version 5 and the team who made IdentityServer4 have moved on to and has a more restrictive licence; but any one who was part of those 4 million downloads can happily fork IdentityServer4 and make their own updated permissive licenced version.
Might have also been easier; as a community (including companies), to sponsor the creators of IdentityServer4 to incentivize them enough to continue working on a very useful free product; but we didn't so we are where we are.
@brockallen we are a small company that has an application with more than 5 small modules (clients) of identityserver. As I see the license of Duende?
@borisgr04 Please contact us directly and we can discuss.
@the-black-wolf To reiterate what I said on the other issue - that just promotes subsidising OSS and developers continuing the sense of entitlement that they should get stuff for free, while at the same time charge for the work they do. Btw, Open Source is Open Source. Don't confuse that with Free, which is different.
I don't understand, do you believe that Linux kernel project is not subsidized? That all people working there work for free? Lets not be naive here, FOSS leans heavily on donorship and subsidizing both in cash and in labor, mixed with goodwill from developers and maintainers, especially in feature-not-product scenarios. Yes, there is a difference between OSS and FOSS, but that is my point exactly, .NET Foundation should be FOSS. We are not talking about some perks and visual bells and whistles, again, this is a CORE INFRASTRUCTURE COMPONENT of modern application development, it has no business being in 3rd party hands with non-free license, reachable only to high income companies or forcing smaller to expose trade secrets as a way to symbolically "maintain" faux-FOSS legacy. This is especially compounded by the fact IS itself is not a lone island, it has been built on effort of others whose libraries itself uses. Should they also charge licenses? Should MS charge licenses for all assemblies in System.Net, or in System.Data, etc? Should my end delivery contain dozens of paid license unlock files? If we go that route at which point should devs just say, well to hell with this, there is also MITREid and Java ecosystem which doesn't suffer from MS's and newfound OSS advacates EEE vision of what (F)OSS is? There should be no forces gravitating away from .net foundation mission, its not good for anyone, especially people believing OSS is a potential goldmine.
And, you keep trying to make this sound like I want to keep IS devs in indentured service so I could get stuff for free, and its a strawman. They absolutely should be rewarded in any solution, especially given their importance, people just need to have realistic expectations. If I were a MS exec, this would be a no brainer, there are people working in MS Redmond as senior devs for 200k+ and these two are very skilled experts who invested considerable time to hone themselves to this level, buying their company, investing in people and getting them onboard would be my first reaction to them being forced by market forces to incorporate to secure personal income. As long as the license is permissive and code independently buildable, NOBODY in OSS will complain. Hell, the whole .net core is owned by MS, we still use it and are thankful for it.
Other people keep insisting IS4 could be forked because its Apache lic. Yes, yes it can, but its a bad solution. First, few people are as skilled as its authors, it would take considerable effort and time to train or have new crew train itself to the level of being able to maintain it, which would then lead them to the same predicament of securing an income for a lot of effort needed forcing them as well in a desperate decision path. And worst of all, it will further degrade revenue potential of Duende and punish IS authors (which is, again, NOT what I am suggesting).
Hell, if MS is squeamish about actually owning Duende as subsidy, or Duende being hell bent on staying independent and dealing with bureaucracy and bookkeeping, I am sure there is a sponsorship figure which Duende will accept in exchange for returning to Apache license. When there is a will, there is a way, this lack of understanding should have never reached us.
Microsoft have it's own authentication solution with a better free plan than what Duende propose with IS5. It's Azure Active Directory, and it works very well. Microsoft have no reason to "buy" Duende.
But yes, IS4 is a .Net Foundation project pushed by default to .Net developpers and it should not go away like that. IS5 cannot replace IS4 nor be considered as an upgrade with its custom & restrictive licence. It is a no go.
But yes, IS4 is a .Net Foundation project pushed by default to .Net developpers and it should not go away like that. IS5 cannot replace IS4 nor be considered as an upgrade with its custom & restrictive licence. It is a no go.
IS4 is not "going away". The GH project is still there. The NuGet packages are not getting removed. You can still use IS4 until the heat death of the universe if you please.
Yes, there is a difference between OSS and FOSS, but that is my point exactly, .NET Foundation should be FOSS.
.NET Foundation is FOSS; DuendeSoftware/IdentityServer is not a .NET Foundation project. The .NET Foundation does not have enough budget to hire even single full time dev with enough competence to develop something like IdentityServer. Perhaps in the future if enough companies sponsor the .NET Foundation that could change but it is not the current reality. The projects in the .NET Foundation are mainly sponsored by the maintainers of those projects contributing their time.
After 10 years of work the maintainers of IdentityServer decided it was not sustainable to continue to donate their time to the IdentityServer project (and they give a full and frank breakdown of why); and due to above the .NET Foundation couldn't bridge that financing gap even if they wanted to.
Other people keep insisting IS4 could be forked because its Apache lic. Yes, yes it can, but its a bad solution. First, few people are as skilled as its authors, it would take considerable effort and time to train or have new crew train itself to the level of being able to maintain it, ...
Was just pointing out it could; not suggesting you should. However it would also be far cheaper and easier to buy a licence from Duende, and if enough companies do it then it becomes a force multiplier enabling new features etc to be delivered.
Yes, it would have been nice if it was free and voluntarily sponsored and that was sustainable; however they have already tried that and the reality is it wasn't. So instead they are working on a successor project which is free for some scenarios and below certain thresholds.
I am sure there is a sponsorship figure which Duende will accept in exchange for returning to Apache license. When there is a will, there is a way, this lack of understanding should have never reached us.
.NET (and most other ecosystems) have an "F"OSS financing problem; if you want OSS to be "free at the point of use"; it needs to be paid for before that. Individuals sponsor the .NET Foundation via time and membership dues as do 9 companies, but its not enough for them to pay any developers to work full-time on projects.
IdentityServer tried with voluntary sponsorships but it only raised a fraction of what was needed. Companies need to either provide employee time or more sponsorship funds or maintainers will burnout; have to give up so they can earn and have a life; or move to a business method of financing (i.e charging for use).
We as a community and ecosystem; including companies, have to contribute and share the load to make it sustainable where the whole is greater than the sum of its parts and the individual load is light or we will end up in a "you get what you pay for" situation and those who don't pay don't get. ImageSharp is suffering from a similar dilemma.
It's not a situation I want and not only do I want project maintainers to "maintain" their projects, but I want more and real innovation in the .NET OSS ecosystem. As a ecosystem we aren't making it easy with almost everything being sustained by volunteers good will; which burns out, rather than actual financing; but perhaps I'm in a minority view and one certainly not shared by the majority of the corporate part of the ecosystem?
I'd go even so far to say what has happened to IdentityServer is an expected outcome of how we finance open source (or rather don't).
First of all: I ❤ Microsoft and I <3 .NET (Core) even more.
Secondly I support Duende's decision.
"You can still use IS4 until the heat death of the universe if you please.:"
Yep, in theory, but it has support (bug fixes) until support ends for .NET 5, somewhere in 2022. So no, thank you, and it's not even really an option.
"Azure has a free plan"
I've only a debet-card. (but I do have a savings account, I don't live on credit). Can't create an Azure account, and I'm 'begging' :) for one since 2014. And even If I had one, I want to control it myself for most of the web apps I write. So no, not an option as well.
Bottom line, I need to rewrite a whole lot of app critical code, as I was depending on IS4 for the future, that's why I starting to use it in the first place. Although I support Duende's decision (I support every dev) the change they've made is really big. I for one won't ask them for a free plan, because who knows for how long can I depend on that. I've a bit of a trust issue with IS/Duende now. But that's just me I'm sure.
Other people keep insisting IS4 could be forked because its Apache lic. Yes, yes it can, but its a bad solution. First, few people are as skilled as its authors, it would take considerable effort and time to train or have new crew train itself to the level of being able to maintain it, ...
Hence why you now have to buy a license for ongoing support and updates. Perhaps if you and others had contributed or donated at any point over the past decade of IdentityServer FOSS, when you were enjoying a free ride at the maintainers' expense, this wouldn't be an issue. Find some projects and start contributing either financially or with your own labor if you feel this strongly.
@JeepNL There is already a free plan, per the original post in this thread. Free for non-commercial use or for organisations with a turnaround of < $1m.
@isaacabraham I know there is. I'm using IS4 in one of my projects for a mental healthcare organization in Holland, I'm programming it as a volunteer. I don't know if they validate as a non-profit, they make money of course. And I don't know what their turnaround is. So, if I 've to rewrite the Authorization & Authentication code for them, I'm gonna use that code in all of my apps.
And if you do rewrite it, you should open source it and support it for free.
I just want to clear something out, we are talking about Identity server 4 which is a standalone auth server. Microsoft.Identity going to keep remaining, right? So still the basic auth is part of the core. If someone needs a standalone server can pick other providers.
but still it is out of my brain power to understand why when there are alternative OpenID certified solution out there, the decisions makers still push a paid software with blurry future into the community, maybe someone would need to check if they have some share of benefit on pushing a paid software to the community. i saw comment suggesting go and use your own template or if you don't like it don't use this template, but anyway at end of the day is about the conversion rate, even if just 3% of the dotnet community adopt the IS5 should be quite profitble, isn't it? not pointing a finger at anyone, but this kind of decision(free advertisement) is quite ugly and smelly
maybe someone would need to check if they have some share of benefit on pushing a paid software to the community
Remember, the COMMUNITY asked MS to put IS4 in the templates to promote OSS. There was HUGE blowback that MS was going to develop their own implementation and the COMMUNITY said "no".
I'm not seeing any viable alternatives proposed:
"Push some other OSS package" could have the exact same issues, except perhaps worse - the maintainers get burned out with folks asking for free support/docs/updates/bug fixes, and they abandon the project. Are these proposed alternatives properly funded? Are you asking your company to sponsor those projects that you depend on?
"Buy Duende" - perhaps ask the Duende folks themselves if they would WANT to become MS employees??
"MS should develop their own free solution" - makes no sense given they already have a product in this space. Why spend money to develop a free product to compete with yourself?
I don't see another viable solution other than what @blowdart already has laid out. The only other option I see is to remove IS4 entirely from the .NET 6 templates and DON'T add anything else back in. You want something, you pick something, and then maybe .NET 7 brings tooling to enable OIDC flows during development.
Remember, the COMMUNITY asked MS to put IS4 in the templates to promote OSS. There was HUGE blowback that MS was going to develop their own implementation and the COMMUNITY said "no".
To be fair, IS was FOSS at the time, that is no longer true. You have to read old comments in context.
I think maybe part of the reason this is blowing up so much is a lot of people learn how to do things by looking at the templates, so if the template is using IS then that must be how it's done in .NET. It's for sure going to bring business to Duende.
Maybe the template could mention with code comments that there are alternatives?
@JeepNL if you are working with healthcare, you should get super serious about authentication (it's illegal to half-ass it). Get a managed solution, maybe
@JeepNL if you are working with healthcare, you should get super serious about authentication (it's illegal to half-ass it). Get a managed solution, maybe
Thank you for you comment. I don't know what to do with it exactly, because I haven't shared what type of app I'm programming, but okay. FYI: I don't do half-ass & I'm super serious, comes with my age I think.
If anybody else wants to share what I should or shouldn't do, please look at my profile on GitHub, there's an e-mail address. let's not waste thus space.
To be fair, IS was FOSS at the time, that is no longer true. You have to read old comments in context.
Oh yeah I get that - at no point were any of these decisions incorrect at the time they were made IMO. The biggest takeaway here is how hard it is to have sustainable OSS. Even my packages, AutoMapper, MediatR etc, 99% of my time spent on those projects is client-funded.
@JeepNL apologies, I was assuming patient data would be going through those systems. If that is the case, any kind of self hosted system would be a huge liability (see HIPAA compliance etc)
@JeepNL apologies, I was assuming patient data would be going through those systems. If that is the case, any kind of self hosted system would be a huge liability (see HIPAA compliance etc)
No client data. Not a single bit.
I believe Microsoft has made the right decision. There are managed solutions that make sense for small projects and for big projects, Duende's License is very affordable. Or you can host your own Keycloak or FusionAuth server.
Companies pay $1M+ for shitty "Enterprise" software, and yet people they think $5-12k/year is too much for an intergral part of your infrastructure.
What I don't understand is why Microsoft would put manpower into migrating the IS4 template to Duende specifically when they could just as easily keep the template on IS4. IS4 is mature enough to stand on its own; you don't need to upgrade it to Duende if your target audience is those wanting to get started. I certainly hope there aren't any underhand deals being made here, considering how Duende benefits financially from this.
as normal .NET developer who cannot afford Duende license, I vote for either Keeping IS4 or using any other mature OSS alternative and leave to users the option to upgrade to Duende if they need it.
@austinw-fineart Because IS4 doesn't support .NET 6, Last version it supported was .NET 3.1
I see a lot of distractions here - @jbogard and Duende - the question community raises right now... is not about you.
let's go about your points, and not being sustainable as you were, or mentioning 'free riders' - well, nobody was forcing you to maintain it before, nobody forces you to pick a revenue model now.
you decided to switch from a community project to a business with your own bets and financial risks, and it's fully in your rights.
we might like or don't like how you do it, but that's actually what your risk is, will we still pick your product after change, or not.
nobody forces us to keep using your products if we don't like your license, or we don't like the hassle of going for approvals for a license we can avoid.
now, returning back to customers, regular developers - previously, it was a no-brainer to pick a IS as a base of your product - it was free, proven, and did the job. and THAT was the voice of the community - to have something included, that is something that everyone used anyway, and that perfectly aligned with the spirit of the .net core product itself.
is it still so? I doubt.
so question is - should a nonprofit org advertise paid 3rd party product that is not an industry standard anymore?
I never liked the use of IdentityServer by default in the templates, it is way overkill for simply issuing JWT tokens for local users. ASP.NET Core should have a simple built-in solution that can issue JWT tokens for locally stored users created using the built-in identity module. This is what should be included by default in the template (along with the usual options for using third-party OpenID providers like AAD).
Those who have needs for more options, for instance authentication across multiple services or other more advanced scenarios that require the feature set of IdentityServer, can then switch over to using IdentityServer with the appropriate licensing.
But promoting a specific commercial product in the default ASP.NET Core template is not OK. It is, in fact, anti-competitive. Given Microsoft's previous problems with other kinds of bundling, I'm very surprised that this has been deemed OK. Let's say a future commercial competitor to Duende IdentityServer pops up. Now they are at a significant disadvantage compared to Duende, because Duende's product is included in the default templates.
The best solution here would be Microsoft stepping in to keep IdentityServer free and open source. I would argue that authentication and identity done right is a key feature of a modern web platform. The current situation risks a lot of home-grown solutions. And we all know the perils of that...
Hey if you just want to create JWT tokens, I can give you https://github.com/vivainio/SecretsMan for 10 bucks
I'm amazed at the number of people on this thread talking about how the Duende license is too expensive. If you earn less than $1m a year it's free. It's unfortunate that so many people seem to not be aware of this.
I'm amazed at the number of people on this thread talking about how the Duende license is too expensive. If you earn less than $1m a year it's free. It's unfortunate that so many people seem to not be aware of this.
@isaacabraham Well, maybe they should work on their pricing page then...
(Yes I know it's under "Special offers")
But really, that is not the point. You have to contact them and be granted a free license. It's not automatic. They can change the terms of this at any time. And given that they have done a bait and switch once, I would certainly not be relying on running anything in production with this free option. Who knows if it will be there in a few years?
should a nonprofit org advertise paid 3rd party product that is not an industry standard anymore?
Which nonprofit org are you referring to exactly?
The best solution here would be Microsoft stepping in to keep IdentityServer free and open source
Again, this means they will support a free product that competes with themselves.
The common theme here seems to be NOT that MS is promoting an Open Source product, which Duende still is, but that one that has commercial licensing (albeit one that kicks in only in production if you're >$1M revenue)?
Is anyone complaining here feel that they are personally on the hook for a license fee? Or just doesn't want to ask the Powers That Be to pay for a license?