On October 1, 2020, Dominick Baier, one of the IdentityServer founders, published an article that confused the IT community. IdentityServer would rebrand and change its monetization policy starting November 2022.
And if initially, the goal of the project was to promote the product, now the priority has shifted. The IdentityServer team transformed the product from a hobby project to a real business. The reasons for such a solution were the following:
The IdentityServer became too difficult to manage and support due to its increased popularity.
The project doesn’t cover the cost of running and maintaining the core project and codebase.
So, what’s in store for software projects which rely heavily on IdentityServer? And what does it have to do with Duende Software?
An identity server is the control center of the IT infrastructure – it defines who connects to what IT resources within the organization. To clarify all things out, imagine that all interaction scenarios between users and applications must be protected from unauthorized use. Such protection assumes Identity Management – the process of identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems, or networks by associating user rights and restrictions with established identities.
IdentityServer (IS) is an open-source OpenID Connect and OAuth 2.0 framework for ASP.NET Core that’s especially favored in the dev community. Being officially certified, IS gives people a starting point for building a security token service. Due to the broad community support, IdentityServer4 examples are easy to find in GitHub. As for the latest IS’s version, IdentityServer4 (IS4) became the de facto standard for .NET-based token services, the implementation of IdentityServer4 in .NET Core 3 in practice. Now it serves as a central authentication server for thousands of apps that allows creating a robust authentication & authorization system within the projects. So, let’s move on to its most remarkable features.
IdentityServer4 provides the following features for applications:
If you are actively using IdentityServer4, this is the information of utmost importance. Starting November 2022, the service will undergo drastic changes such as:
RPL is a reciprocal public license. It keeps Duende IdentityServer free for free, open-source work.
Commercial license applies for all other use cases – provided that it is used in a commercial scenario.
Software. Duende IdentityServer will contain all of the new feature work and will target .NET Core 3.1 and .NET 5. Everything in the IdentityModel organization will stay unchanged.
How can such a solution influence the end-users of the IdentityServer? Is there a real problem or it’s just a routine announcement for IS users? Let’s sort the whole thing out.
Cost increase. The first and obvious aspect of the new IdentityServer policy is a cost increase. For typical commercial scenarios, it will cost at least $1,500 per year.
As IdentityServer is an OAuth framework, the tariffication metric is clients but not users. The cheapest Starter edition allows for 5 clients without reference to the number of users. Each additional client will cost $300.
Architectural solutions. Per-client tariffication of the IdentityServer can force businesses to implement single-client applications instead of multi-client solutions. It can be critical for small businesses with limited resources. For the current users who have already implemented a multiple-client architecture (multiple subdomains), there are no ways to reduce the cost – even if each client includes only one or several users.
For new applications, the developers will have to search for the best architectural solution – weighing all pros and cons of single-client websites and applications with multiple subdomains.
Support. Starting November 2022, no free support for IS4 will be provided. The commercial support can be overwhelming for a non-profit developer. As for commercial licenses, Duende provides Standard developer support in Starter and Business editions. Standard support includes public documentation, samples, and issue tracker.
And Duende provides Priority developer support in the Enterprise edition that starts from $12,000 annually. For that price, users will get public documentation, samples, issue tracker, and incident response SLA (Service Level Agreement). Hope that it will be reliable enough and will meet all the business needs.
Microsoft templates. Microsoft has bundled IdentityServer4 into the templates in the first place. So, using those templates for commercial purposes, you’ll have to pay for IdentityServer. As for now, there are no proposals or free plans from Microsoft related to Duende IdentityServer.
The forced changes associated with the growth of time and financial costs are uncomfortable for any business. If your application uses IdentityServer4, one way or another, you will have to choose a new operating scenario starting November 2022.
If the business needs all the functionality of IS, including flexibility, an unlimited number of clients, and support, it will cost $12,000 annually. Developers who do care about identity management and work with IS4 in a daily job environment, are OK with spending company money on it.
If the business doesn’t need the Enterprise edition, it can choose one of the alternatives, IS pricing. There’re a starter and business editions of the following service having equally useful features, but with some restrictions.
Developers can continue using IS4 until November 2022 for free, supported by the IdentityServer team on Github. After that, they can keep using it, but without free bug fixes and security updates. In case of a critical problem, developers can fork IS4 and patch it themselves.
It may even happen that a client can still use Duende (IS successor) for free. In any case, it’s worth checking the conditions of the free licensing.
In the mentioned cases Duende IdentityServer is free, though with some limitations. Besides, following the original discussion, Dominick Baier emphasizes that they are ready for dialogue on each specific customer.
If the business doesn’t need all the IS features, the customer application has “easy” identity management scenarios or the processes aren’t heavily dependent on IS4. Developers and businesses can choose alternative products from other vendors or develop their own ones.
The IT community is still trying to figure out the best IdentityServer4 alternatives and get over the shock. But be as it may, there’re decent variants. One of the approaches is to distinguish library-type and product-type solutions for identity management.
By its origin and purpose, IdentityServer itself is a library-type solution. The library-type solution can fit most under the following conditions:
In contrast, a product-type is suitable for the clients that meet certain criteria:
In this case, product-type alternatives can include the following services: Auth0, Okta, Keycloak, Azure Active Directory B2C.
One of the IdentityServer4 alternatives proposed by the IT community is OpenIddict. Like IdentityServer, it’s a .NET library-type solution that works with client authentication and token issuing, but not user authentication and allows implementing custom login flows. OpenIddict operates under the Apache 2 license, uses OAuth and OpenID Connect protocols, and is supported by the GitHub community.
Another IS alternative, Keycloak, is an open-source product-type solution, it operates under the Apache 2 license, but unlike IS and OpenIdDict, is Java-based and has no such flexibility as libraries do. For example, it doesn’t support custom grant types and custom login flows for users.
Azure Active Directory B2C
Azure Active Directory B2C can be a solution if there is no need for flexibility and you are hosting customer identities in a SaaS. It’s a Microsoft product running only in the Azure cloud. AAD B2C pricing is user-based, and is free for 50,000 monthly active users (MAUs).
Active Directory Federation Service For on-premises, Microsoft has an ADFS (Active Directory Federation Service) alternative. ADFS is a solution for SSO and Internet authentication. It follows a process similar (but not equal) to OAuth, uses some open standards (HTTPS, SAML), but is Microsoft-specific and requires Internet Information Services (IIS), which only run on Windows servers.
Even though we can comfortably use Identity Server for some time (at least till the end of 2022), the changes are inevitable. Companies must put a high priority on the quality, security, and stability of the software, so schedule the time for reviewing the business strategy and re-evaluation of fundamental needs and resources.
Also Published Here