Alternatives to Identityserver4: What are the Best Options and the Near Future of Identityserver

On October 1, 2020, Dominick Baier, one of the IdentityServer founders, published an article that confused the IT community. IdentityServer would rebrand and change its monetization policy starting November 2022.

And if initially, the goal of the project was to promote the product, now the priority has shifted. The IdentityServer team transformed the product from a hobby project to a real business. The reasons for such a solution were the following:

• The IdentityServer became too difficult to manage and support due to its increased popularity.

• The project doesn’t cover the cost of running and maintaining the core project and codebase.

So, what’s in store for software projects which rely heavily on IdentityServer? And what does it have to do with Duende Software?

What is IdentityServer?

An identity server is the control center of the IT infrastructure – it defines who connects to what IT resources within the organization. To clarify all things out, imagine that all interaction scenarios between users and applications must be protected from unauthorized use. Such protection assumes Identity Management – the process of identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems, or networks by associating user rights and restrictions with established identities.

IdentityServer (IS) is an open-source OpenID Connect and OAuth 2.0 framework for ASP.NET Core that’s especially favored in the dev community. Being officially certified, IS gives people a starting point for building a security token service. Due to the broad community support, IdentityServer4 examples are easy to find in GitHub.  As for the latest IS’s version, IdentityServer4 (IS4) became the de facto standard for .NET-based token services, the implementation of IdentityServer4 in .NET Core 3 in practice. Now it serves as a central authentication server for thousands of apps that allows creating a robust authentication & authorization system within the projects. So, let’s move on to its most remarkable features.

Key features of IdentityServer4

IdentityServer4 provides the following features for applications:

• Authentication as a Service. IS provides centralized login for all applications (web, native, mobile, services). IS is an officially certified implementation of OpenID Connect.
• SSO. IS provides Single Sign-on/Sign-out over multiple application types.
• Access control for APIs. IS issues access tokens for APIs for the following client types: server to server, web applications, SPAs, and native/mobile applications.
• Federation Gateway. IS supports external identity providers like Azure Active Directory, Google, Facebook.
• Customization. Since IdentityServer is a framework, not a boxed product or a SaaS, it can be customized. Users can write code to adapt the system to fit their scenarios.
• Open Source. IdentityServer is open source, well documented, and supported by the extensive community.

What Has Changed in the IdentityServer4 Rights of Use?

If you are actively using IdentityServer4, this is the information of utmost importance. Starting November 2022, the service will undergo drastic changes such as:

• Rebranding. IdentityServer will be rebranded as Duende IdentityServer. IdentityServer4 support will last until the end of life of .NET Core 3.1, which means till November 2022. In that way, Duende provides new documentation for the fifth service version.
• Pricing. The officials said that IS4 remains free for free, open-source work, development, and testing. For commercial scenarios, it will require annual payments. Plus, as a bonus, there is a 50% discount licensing for startups and non-profit organizations. For charities and small companies, the company offers a lucrative deal – a free plan.
• Licensing. Up to November 2022, IdentityServer will use the permissive Apache 2 license that allows building commercial products on top of it. Starting November 2022, IdentityServer remains open-source but works with a dual license: RPL and commercial.

  • RPL is a reciprocal public license. It keeps Duende IdentityServer free for free, open-source work.

  • Commercial license applies for all other use cases – provided that it is used in a commercial scenario.

  • Software. Duende IdentityServer will contain all of the new feature work and will target .NET Core 3.1 and .NET 5. Everything in the IdentityModel organization will stay unchanged.

How Will It Affect the Server Users?

How can such a solution influence the end-users of the IdentityServer? Is there a real problem or it’s just a routine announcement for IS users? Let’s sort the whole thing out.

Cost increase. The first and obvious aspect of the new IdentityServer policy is a cost increase. For typical commercial scenarios, it will cost at least $1,500 per year.

As IdentityServer is an OAuth framework, the tariffication metric is clients but not users. The cheapest Starter edition allows for 5 clients without reference to the number of users. Each additional client will cost $300.

Architectural solutions. Per-client tariffication of the IdentityServer can force businesses to implement single-client applications instead of multi-client solutions. It can be critical for small businesses with limited resources. For the current users who have already implemented a multiple-client architecture (multiple subdomains), there are no ways to reduce the cost – even if each client includes only one or several users.

For new applications, the developers will have to search for the best architectural solution – weighing all pros and cons of single-client websites and applications with multiple subdomains.

Support. Starting November 2022, no free support for IS4 will be provided. The commercial support can be overwhelming for a non-profit developer. As for commercial licenses, Duende provides Standard developer support in Starter and Business editions. Standard support includes public documentation, samples, and issue tracker.

And Duende provides Priority developer support in the Enterprise edition that starts from $12,000 annually. For that price, users will get public documentation, samples, issue tracker, and incident response SLA (Service Level Agreement). Hope that it will be reliable enough and will meet all the business needs.

Microsoft templates. Microsoft has bundled IdentityServer4 into the templates in the first place. So, using those templates for commercial purposes, you’ll have to pay for IdentityServer. As for now, there are no proposals or free plans from Microsoft related to Duende IdentityServer.

Available Solutions for Users

The forced changes associated with the growth of time and financial costs are uncomfortable for any business. If your application uses IdentityServer4, one way or another, you will have to choose a new operating scenario starting November 2022.

Option 1. Continue using the “all-in” IdentityServer

If the business needs all the functionality of IS, including flexibility, an unlimited number of clients, and support, it will cost $12,000 annually. Developers who do care about identity management and work with IS4 in a daily job environment, are OK with spending company money on it.

Pros:

• Continue using the tool that ideally fits the product needs.
• No need to spend time and money on searching for IdentityServer4 alternatives.
• Getting all the Duende IS additional features:
  • Unlimited clients.
  • Unlimited issuers – any number of logical token services running in production at any number of unique URLs.
  • Automatic key management.
  • BFF (Backend for Frontend) hosting library.
  • Dynamic authentication providers.
  • Resource isolation.
  • Priority developer support.

Cons:

• Cost: $12,000 annually.

If the business doesn’t need the Enterprise edition, it can choose one of the alternatives, IS pricing. There’re a starter and business editions of the following service having equally useful features, but with some restrictions.

Option 2. Use IdentityServer for free

Developers can continue using IS4 until November 2022 for free, supported by the IdentityServer team on Github. After that, they can keep using it, but without free bug fixes and security updates. In case of a critical problem, developers can fork IS4 and patch it themselves.

It may even happen that a client can still use Duende (IS successor) for free. In any case, it’s worth checking the conditions of the free licensing.

In the mentioned cases Duende IdentityServer is free, though with some limitations. Besides, following the original discussion, Dominick Baier emphasizes that they are ready for dialogue on each specific customer.

Option 3. Don’t use IdentityServer: IdentityServer4 vs other equivalents

If the business doesn’t need all the IS features, the customer application has “easy” identity management scenarios or the processes aren’t heavily dependent on IS4. Developers and businesses can choose alternative products from other vendors or develop their own ones.

The IT community is still trying to figure out the best IdentityServer4 alternatives and get over the shock. But be as it may, there’re decent variants. One of the approaches is to distinguish library-type and product-type solutions for identity management.

By its origin and purpose, IdentityServer itself is a library-type solution. The library-type solution can fit most under the following conditions:

• You need free and open-source software.
• You need to manage all the data yourself due to regulations or privacy requirements.
• You need flexibility during the authentication flow, for example, a custom workflow for finding or merging user accounts.
• You have enough time, skills, and resources to run it yourself.
  

In contrast, a product-type is suitable for the clients that meet certain criteria:

• The price is not a determining factor.
• You need to save time and human resources on implementation and operation.
• The product contains just enough settings for your use case. The lack of flexibility is OK or at least not critical.
• The product gives even more out-of-the-box features required for your project.
  

In this case, product-type alternatives can include the following services: Auth0, Okta, Keycloak, Azure Active Directory B2C.

OpenIddict

One of the IdentityServer4 alternatives proposed by the IT community is OpenIddict. Like IdentityServer, it’s a .NET library-type solution that works with client authentication and token issuing, but not user authentication and allows implementing custom login flows. OpenIddict operates under the Apache 2 license, uses OAuth and OpenID Connect protocols, and is supported by the GitHub community.

Keycloak

Another IS alternative, Keycloak, is an open-source product-type solution, it operates under the Apache 2 license, but unlike IS and OpenIdDict, is Java-based and has no such flexibility as libraries do. For example, it doesn’t support custom grant types and custom login flows for users.

Azure Active Directory B2C

Azure Active Directory B2C can be a solution if there is no need for flexibility and you are hosting customer identities in a SaaS. It’s a Microsoft product running only in the Azure cloud. AAD B2C pricing is user-based, and is free for 50,000 monthly active users (MAUs).

Active Directory Federation Service For on-premises, Microsoft has an ADFS (Active Directory Federation Service) alternative. ADFS is a solution for SSO and Internet authentication. It follows a process similar (but not equal) to OAuth, uses some open standards (HTTPS, SAML), but is Microsoft-specific and requires Internet Information Services (IIS), which only run on Windows servers.

Even though we can comfortably use Identity Server for some time (at least till the end of 2022), the changes are inevitable. Companies must put a high priority on the quality, security, and stability of the software, so schedule the time for reviewing the business strategy and re-evaluation of fundamental needs and resources.

Also Published Here