The Future of IdentityServer #26489
Comments
javiercn
added
the
area-mvc
blowdart
added
the
External
|
.NET 5.0 will ship with IdentityServer 4 in some ASP.NET templates. As the IS folks have stated
Planning has begun for .NET 6.0 and we'll make an announcement when ready. |
|
I don't see why this is a big deal - still fine for ASP.NET Core to ship OSS templates that include IdentityServer4 under this license. If companies want great tools for solving problems as complicated and critical as identity management they should have no problem paying for it. |
|
We need a new free option, this is a core component and cannot be outsourced to 3rd party companies. THIS IS TOO CRITICAL |
If you've been using IdentityServer all this time, you've already been depending on a 3rd party company. OSS software isn't about other people doing things for you for free - either roll your own, pick another technology, or pay the bill. If you can't afford $1500 a year for IdentityServer4 to manage something as critical as identity for your business applications, drop them a line and let them know - pricing software products is a complicated business. |
|
IS4 will actually remain free and will be supported in line with .NET Core 3.1. It's only IS5 (as far as I'm aware) that will be commercial. But the main point is right - if you don't want to pay for the future version of IS, just use the out of the box solution or roll your own. If you would rather not take on that responsibility and / or it'll be quicker to use a third-party package written by experts, then you can pay for them to do it for you. I don't see the problem. |
Can you link to the issue where this is being discussed, please? |
|
@weedkiller Funny how while it's been free, depending on 3rd parties has never been a problem... |
|
@citizenmatt "we'll make an announcement when ready" |
|
@blowdart Thank you for your clarification! |
Does "we" mean Microsoft, the .NET Foundation or the open source community? |
|
@hhariri It used to be core part of the MS Stack back in early webforms/MVC time frames. However MS did not release the comparable component with an admin/UI, in the new ASP stack. So people gravitated towards that as a viable and that it was a free option. From a financial point 1500$ in countries where they make less than 3$/day is not an option and a pain of the smaller business that you should personally exp. to understand. Many of these sites just have basic features enabled, with a large community Also with this kind of a mindset other competing products like Wordpress on PHP have gained huge ground on ASP. Some day PHP and its frameworks are going to catch up. Look at the search results, there are several several questions and issues just on this topic which are closed or unanswered with a heavy hammer. for e.g. 57 votes ASP identity -- #16534 #973 Looking through the issues.. there are several pertinent questions that are core to the stack, that are simply too hard for a developer to tackle on his own, and too crucial for any one to monopolize. Multi tenancy, Dynamic Roles with claims, Federation, SSO, ASP Identity Core is DB facing more that anything, Open ID integration and more@citizenmatt please give us an option that's doesn't burn a hole! |
From what I gathered their site earlier this week, its free only till IS 4.x (current version). Everything going forward is Duende or something software and costs money from October, so they way I understand any development from here.. is commercial including bug fixes etc. |
|
IS4 will work until 2022 at that point you won't able to get security fixes, etc. They went enterprise pricing, there is no hobby pricing or "starter". They went from 0 to 60. It's ok, it's their choice, but we have a choice too. Before we migrate to one of the other FOSS systems we're waiting for Microsofts response to this. Surely this is a pivot moment to solve this internally for the framework. MVC1-5 came with auth solutions so I expect they will continue that tradition. Json parsing used require 3rd party (at least if you wanted performance). That's internal now and far better. We'll see what they do. |
|
A full OpenID Provider has been built in. Not sure why it's considered necessary to have it now. I get that IdentityServer going non-free sucks for some users but there are alternatives like OpenIDdict. Begging Microsoft to make things like this distracts them from improving core functionality. Microsoft doesn't have to own everything dotnet. |
|
I get it that the creators need money so it is their decision whatever they want to do. For the .net ecosystem it is a rather disastrous event. As a small company that has chosen IdentityServer because it is the "official" framework of choice, both according to Microsoft and the general community, you are now facing a lot of not needed and not wanted problems. Sure you can say, yes $1500 is not much in the business environment. But this is not true for all of them. For us it is a lot of money and also a lot of time that we have already invested. We now have to migrate to something different. Yes, open source is not about "free work" but you clearly want to have a .net ecosystem with all the basic tools that keep steady and have a very open license. It would have been better if they did the license change back then when they converted IdentityServer to .net core. |
Most of full stack framework out there has official package for crucial things like this (say laravel). Coming from other communities like php, node, etc, dev can build and experiment with everything totally free. This makes it harder for newcomers to learn aspnet core without the support from the community or microsoft officially Edit: and yes its totally up to the creators if that's their decision |
Here are some alternatives that may have come to pass without this move :
Also consider the difference now : The team may have more funds to invest in making the API and docs even better, saving you time and money. In other words, positioning this as a negative move is perhaps a little short sighted. The current situation was probably unsustainable and this was no surprise to me when I saw the news. You have until the end of life of netcore 31 which is next year, to plan for a migration strategy. As I understand it, IS4 will continue to work, it's simply not going to be updated. I suspect that the time saving of paying the money will outweigh the cost of moving but you will undoubtedly know better. |
It's just one project changing a license. Yes, it's popular but there are alternatives. This happens in all ecosystems. They also have paid for things too. The sky isn't falling. |
Having sustainable OSS projects is part of a healthy ecosystem. If not $1500, what amount would you pay? If the answer is "none" then you're the problem. |
|
If you're hosting on Azure, you might look at its Easy Auth feature for App Services. That's free, too. We use that quite a lot for the "easy" scenarios. If your situation is complex, that's when you need something more powerful, and I don't see why it must be free. |
|
In fact you have until end of 2022 to move over. That's two years. |
|
@weedkiller @bladefist (and everyone else) As @Aaronontheweb says, pricing a product is hard. If you want to give us feedback on the pricing and explain your situation, this is not the right place to do that. Please contact us directly thanks! |
Totally true, identity and access management should be baked into the framework as it is needed in almost any serious app. |
Sorry, but this is just an arrogant statement by you. |
You don't need something as sophisticated as IS4/5 for simple use cases - there are numerous other libraries that are free. We're using |
|
We have 2020 and those features should be something that should be absolutely solved in a standardized way and freely available in a famework:
Again, the point here is that we invested time and money in solutions using IS for those things. Because MS said this is the way to go. We are still in a crucial situation with .net and hoping that it gain more ppl using it. Also if Blazor should gain traction something like this just doesn't help. |
@pollumi I agree with everything you said 💯 this is a pretty core function to the Microsoft Stack, had they done it right in the first place it would have never been issue today. Also @Aaronontheweb is out of line with personal comments like that. What an idi0t, not ok, just because he dont agree with someone else view. Why is this closed?! |
|
If folks wanted this to be free, perhaps they should petition MS to sponsor the project at a level that would ensure that? |
|
I just want to throw my hat in because I keep seeing the $1500 number over and over in this and other threads, but I can't see how this would apply to anything but the absolute most basic IS4 implementation. I'm putting together a solution that uses IdentityServer4 for a relatively small startup. We don't have a problem paying to support the project, which is what we thought we were doing when we paid for the Enterprise AdminUI license at $8400 / year: https://www.identityserver.com/products/adminui This was a stretch for us, but we chose it over similar open source projects like https://github.com/skoruba/IdentityServer4.Admin to financially support the IS4 project. The per-client licensing model of Duende IdentityServer is what's going to make this untenable for us going forward. Let me describe our clients: 1: AdminUI (which alone is $8400 / year) ... As you can see, we've used 7 clients (2 of which are required by the IS4-affiliated product we're already paying thousands a year for) before even getting to the part where a single actual website or mobile app exists. Worker services (client credentials grants) come online at an alarming rate, and they're generally dead-simple pieces of code, sometimes the entire service is 100 lines of code. I don't know how other shops are handling IS4 clients, but using Duende IdentityServer will immediately put us in the Enterprise tier at $12,000 / year, putting our total cost at over $20k / year. I wanted to point all of this out since people may read these threads thinking "I can swing $1500 / year". I'd be shocked to find out that our setup was unique in the number of clients that end up being created. This client based pricing model is going to immediately price out many startups like the one I'm working with. The IS4 authors deserve to be well compensated and I hope Duende IdentityServer is a success for their sake, but I'm also hoping they introduce something like a per-user pricing model. |
|
That's great feedback @hallidev - exactly what the Duente dudes need to hear in order to get their pricing right |
Is this really so basic? If it's such a simple thing to do, Brock and Dominick wouldn't be able to create such a product - and you wouldn't be so disappointed at the move to a commercial model; you'd simply roll your own, or fork IS4 and continue from there. Clearly there's complexity in auth in general and within IS, and let's not pretend otherwise. |
|
what about non-for-profit organizations?, the rationale here is that everyone is using this product for commercial, profit, not all of us work like that. For the dotnet team, could be nice to have some guidance on how to integrate aspnet identity with an openid free/paid provider to offer the idp role. it could be hard to keep with the new licensing model since the new company dont have sales/marketing rep in our country, is an us-europe centric target they have, and duende name wont fly around here. i still have hope than in the next couple of years some higher up in microsoft get it and buy this excelent product, like they did before with dundas, minecraft and a lot of strategic assets. |
|
It's definitely not basic, it's incredibly valuable. I think one of the tricky things with the pricing is for startups. An STS might be one of the first bits of infra you set up, and at this point your business is surviving on free trials and any credits you can wrangle from developer evangelists. IS definitely kept me coming back to dotnet even if we weren't planning to use it elsewhere. I wish Microsoft would have sponsored the hell out of it so Brock and Dominick didn't have to worry about any of this. IS has done a lot for the dotnet ecosystem. |
|
I don't have a great amount to add to this other than the below.
Identity is ANYTHING but basic, and many get it so incredibly wrong & make it very easy for their applications to be breached. Like many others have said there are other options available |
For me it comes down to the large step functions in price, and particularly the single vs. unlimited issuers. I need multiple issuers. That puts me immediately at $12k/year. The 10 client limit is also too low in general. I'd fit under it right now but likely won't within a year or two. $12k/year for self-hosted OIDC is also just frankly hard to stomach relative to what we pay for other licensed software components. I'd be much more amenable to pricing that scaled linearly instead of this $7000/year jump between 10 clients and 1 issuer to unlimited. From what I can see, there's no other value add at all to the Enterprise Edition - simply the ability to go beyond 10 clients and 1 issuer. There's pricing we'd be happy to pay to support the project and maintain our integration investment, but this isn't it. |
|
Was this project sponsored by Udelt, Microsoft, Ritter Insurance Marketing, and Knab? Was there not enough sonsorship money? This list goes on Sponsors. Was this more of a thought that they can make more money by overpricing it for even the smallest of projects? |
|
@y2k4life Maybe before you jump to conclusions or imply things, find out all the details. |
|
Again. thanks for all the comments and feedback. This wasn't an easy decision for us, and we are still in the process of finding the right balance. The more data we have, the better. Please contact us directly via @y2k4life I broke down the exact sponsorship numbers on my blog
|
Having all the building blocks freely available to flexibly secure an API including a token provider is a very basic requirement of a modern ecosystem. Basic doesn't mean non-complex. I'm disappointed that such a basic functionality now requires lots of unplanned work and time. It was considered a done thing in my (and I'm sure in countless other) services. Maybe Keycloak can fill the gap but I actually absolutely love having a .net only stack. |
|
I agree you got to get paid, but I think this has turned out to become an exploit by Duende with Microsoft Complacency. Sad to say it, but with timing it boils down to being opportunistic, adoption was very low till the fantastic/free Lacking:
In many ways the lacking Full reference implementation including the GUI component in the identity management reference implementation/template is what creates a lot of confusion, If you look on Stack Overflow there are many many question handling identity and user/roles/claims management.
And here there was very little activity before @jskoruba put up his free admin GUI
|
Yet, none of that is directly related to IdentityServer. Don't confuse ASP.NET Identity with what IdentityServer does. |
I think a lot of people are confused and have been for a while. The name IdentityServer is so generic that people thought it was required. It doesn't help at the official docs saying "Identity with SPA" is a how to with IS4. That's so overblown and doesn't acknowledge the cases of when to use OpenID and when not. Just found this out on a Reddit discussion today: https://www.reddit.com/r/dotnet/comments/j4wl93/question_about_jwt_implementation_best_practices/ |
|
@clooge you realize that's a commit graph, right? That has everything to do with the amount of code changes being committed and none to do with how often the project is adopted by end-users? Plus those code changes are overwhelmingly committed by the two original maintainers of the project
Then again, I'm not surprised users with blank Github profiles might be confused by how OSS is actually produced. Bringing this back to ASP.NET Core - Identity is already built-in. As @poke explained very well:
If the issue at-hand here is that now you have to migrate IS to something else, guess what:
|
|
We're done here and I'm locking the issue. Some of you were hopping over the line, some of you hopped over it, sprinted in the wrong direction and then threw things from 2.7 miles past the line. In any case, this is not the venue to discuss Duende's pricing, what open source means, and whether Microsoft should produce everything and kill off the .NET open source ecosystem in the process. After all, one of the reasons we went with Identity Server in the first place was the community reaction to our suggestion we produced a simple authorization service, and the loud and clear message we shouldn't try to reinvent something that already had a good open source solution. Once .NET 5 is done and dusted I'm sure we'll have senior msft folks come up with an appropriate venue for a wider discussion over some of the issues I will remind all of you we have a code of conduct. |
and others
Currently, some of the ASP.NET Core templates use IdentityServer4. How the above announcement affect? ASP.NET Core 5.0 will be shipped with IdentityServer4?
The text was updated successfully, but these errors were encountered: