Planning about the IdentityServer Upgrade/Switch

[hikalkan]

Duende IdentityServer has been released: https://blog.duendesoftware.com/posts/20210114_v5_release/

Now we have a few options;

• Keep going with the IDS4 for a while
• Migrate to Duende IdentityServer 5 and let the ABP community think about the licensing :)
• Consider to switch (or alternatively integrate) to another open source OAuth server provider like openiddict
• Wait for another solution from Microsoft
• ...

We welcome any suggestions.

[olicooper]

For now IDS4 is great, so I'd personally stick with it for a while until we know how this changes things. Long term Is there a way to have both - like a new module? Then create a migration guide?

The Duende special offers page says it is free for open source projects, development environments, charities and small companies.

It might be worth you guys sending Duende an email to see how you can partner up to offer IDS5 to your commercial clients to make the process simpler for the client and potentially generate sales for Duende too? For example they offer ISV licensing too.

[d-oit]

IDS4 is great atm. No need to change: "This repo will be maintained with bug fixes and security updates until November 2022."

Wait for the complete .NET 6 MS Roadmap for a possible/alternative switch: https://github.com/dotnet/aspnetcore/issues/27883

[davidzwa]

I/we agree with sticking with IDS4 for a preset period (1 year/.NET 6 release), although I do think we should consider fork and maintenance approach if no solution arises in time. I think this community has the capability of carrying the load that comes with it.

Also, can this important issue be pinned? I think it is quite important that people give their opinion.

[hikalkan]

Pinned the issue. Thanks for reminding.

[leonkosak]

I agree that sticking with IDS4 is currently the best option (at least this year). After that I hope that MS finally comes with its own solution.

[Xeevis]

Sticking with IDS4 for the time being sounds good. Microsoft will surely tackle the issue sooner or later, they chose IdentityServer because it was free and open source. Now they have to decide on this once again.

I made a quick peek at Duende. Licensing seems quite restrictive. At the Starter edition ($1500) it's limited to single issuer URL with 5 OAuth clients. Correct me if I'm wrong but seems like a bad deal for SAAS with tenants which is one of the great strengths of the ABP framework. I believe IDS4 has this unlimited? With Duende that would be $12000/yr. Whoa 🤯.

[davidzwa]

Yeah I found the same although Duende's license table has improved in 1 month; I was trying to look for open (free) gaps in the licensing, but RPL just makes it near impossible and we're not even commercially involved.

Do you guys think MS will pick this up? Heard some very mixed reactions on IDS's repo/blog reactions on how MS ignored this whole situation. What will make it different in future? What is their incentive?

[aelhadi]

hello,

personally, I have already used openiddict, and I think it will be a good alternative.

Regards

[beriniwlew]

I think there should definitely be an openiddict module and to be able to choose between ID4 and it.

[beriniwlew]

Also. We should consider passwordless auth through FIDO2/WebAuthn.

https://deblokt.com/2020/01/24/08-part-1-identityserver4-mfa-fido2-yubikey-5-net-core-3-1/ put us on the right track, https://webauthn.io/ helped us to understand how it works.

Would be nice not to worry about phishing attacks, eh?

[tevosouza]

As I said on another issue, maybe the Keycloak (https://www.keycloak.org/) can be an alternative. It's open-source, robust, scalable, reliable and has a very active community.

[Xeevis]

As I said on another issue, maybe the Keycloak (https://www.keycloak.org/) can be an alternative. It's open-source, robust, scalable, reliable and has a very active community.

While possible it's not something .NET community will ever pivot to. It's written in Java, NET's mortal enemy you know 😅. You'd need separate setup and use adapter to talk to it. OpenIddict would make much more sense.

[badre429]

As I said on another issue, maybe the Keycloak (https://www.keycloak.org/) can be an alternative. It's open-source, robust, scalable, reliable and has a very active community.

While possible it's not something .NET community will ever pivot to. It's written in Java, NET's mortal enemy you know 😅. You'd need separate setup and use adapter to talk to it. OpenIddict would make much more sense.

yes its not possible but not because of java vs dotnet its about self hosting the application with the identity-provider adding Keycloak will add more frustration on top of already complicated solution

[tevosouza]

Hi @Xeevis and @badre429 Thank you for your answers!

[xdmushui]

Are you considering integrating Dapr and using sidecar to integrate with other open source identity server? Because this has the advantage of making full use of open source project.

[mooresway]

Microsoft on the topic: https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/

[hikalkan]

OpenIddict seems the best approach. For a smooth transition, we will try to support both.

Anyone had problems with OpenIddict before? :)

[yellow-dragon-cloud]

The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in a commercial setting if the entity or organization makes more than 1M USD/year.

I think supporting both IdentityServer 5 and OpenIddict would be perfect.

[hikalkan]

I am moving this to after ABP 5.0. This is a huge work and we will work on in the next year. Currently, we continue to use IDS4 open source version since it is being maintained until end of 2022. We will provide a good solution before that date.

[jack-gaojz]

I think we should add an adapter layer for the authorication/authorization module. Left the user can choose the option. The old projects will be impacted to much if switch directly.

[fxhst329]

I think most of above posts are just continuation of not the best implementation of authentication. Even first post directly from ABP developer doesn't solve ABP's biggest issues with Oauth.

ABP is tightly coupled with IdentityServer and it's not as simple to just switch. We would suggest it's completely redesigned so ABP supports different Oauth providers.

We are however inclining to solution where ABP would add adapter for authentication. This way users can add any providers they want very easily instead of having to change a lot of core ABP files.

Not all users want to use IdentityServer, or Duende or OpenIDdict.. the only solution that is set by default from ABP. Different users have different Oauth needs, we found fixation to single Oauth provider without ability to easily switch the provider to be a big setback and limitation of ABP.

[beriniwlew]

I agree that we must decouple things from IDS4. There are many interesting projects out there that can be an excellent alternative. I also hope the priority of this will be stepped up.

[gerryge]

Is there a clear time/plan to complete this feature? Our business users always concerning about the identity server future.

[Xeevis]

With version 6 onwards Duende is changing licensing model, Community Edition will no longer have any limits and will be feature equivalent to Enterprise Edition.

Duende IdentityServer v6 released Fair Trade Software License

[nallejacobsson]

That's good news, but it's still 1,500 USD / year for companies making >= one million USD gross annual revenue. We have switched to OpenIddict.

[benmassaoud]

Hi, why not suggest a template with Azure Aad B2C as primary Identity provider?

[hikalkan]

We are currently working on a solution. We will try to make it changeable as easy as possible. So, anyone can use, for example, Azure, Okta or Keyclock and completely drop ABP's IdentityServer and even the Identity module.

Let's see the current situation:

• ABP's Angular UI uses OpenIdConnect authentication (uses authorization code flow redirects user to the MVC backend app with IDS embedded) and also Resource Owner's Password flow (uses the backend app as a token service) as an alternative login option.
• Blazor UI also uses OpenIdConnect authentication.
• We need a token system to authenticate remote application clients (client credential flow or again resource owner), so we can securely serve our HTTP APIs.
• Microservice example solution uses single-sign on (there are 2 web apps with a single auth server), openid connect and client credential (for inter-microservice authentication).

So, if we drop IDS and only provide an external login (like Keyclock, okta, azure, etc), it won't be even possible to run Angular and Blazor UI without any cloud provider or external process (like Keyclock server). I believe no one wants that, especially if you are building a relatively simple application and all you want to do is to login the user to your application. So, in that case, we should also support a built-in authentication server that can capable of implementing some or all of these auth flows.

If we should provide a built-in auth server, we have two possibility now:

1. Migrate to Duende IDS, which is a paid library for who have more than $1M revenue. If we do that, we will try to make a deal with Duende software to include their license into ABP Commercial license price. But, for open source, their licensing is still a problem. What do you think about that?
2. Switch to OpenIdDict, which is currently open source and free, but no guarantee it will always be maintained and remains free. Also, if we do that, we need to work a lot since this is a low-level library (compared to IDS) and we will have a lot of code to maintain in the ABP Framework. Orchard did it and you can see the level of code they've implemented and maintaining (see here).

I don't know any other mature open-source project that can add embedded auth server functionality to your application.

We will definitely support external providers (like Keyclock, okta, azure, etc) (actually it is currently possible because ABP is modular and IDS is a removable module, but we will try to make direct integrations or prepare guides to show how to do that). However, we have not a flawless solution for the built-in auth server - even Microsoft doesn't provide a solution you know, so how we can do it :) This is a big problem in .NET platform right now. I will write here as we take progress. It is appreciated if you write your thoughts.

[nallejacobsson]

We recently built our own auth server using OpenIddict + ASP.NET Core Identity. At first it seemed like a huge amount of work compared to IDS, but in the end it was pretty straight forward and the result is flexible and powerful. With ABP you already have a lot of pieces in place. Yes, there is no guarantee OpenIddict will always be maintained and free, but hey - that's the nature of open source :) And by committing to it you will increase it's chances to prosper.

[gerryge]

How about this pr (feat: openiddict module #9770)?

[hikalkan]

@gerryge I didn't remember this, I will check it, thanks 👍

[hikalkan]

Hi all,

I've created an announcement for this topic. You can continue to conversation there if you like: https://github.com/abpframework/abp/issues/11989

[hikalkan]

@vijay2358 please write to info@abp.io I can see emails coming here. Thanks.