eShopOnContainers: Upgrade IdentityServer 3.1 to Duende IdentityServer v6

[erjain]

eShopOnContainers: Upgrade IdentityServer 3.1 to Duende IdentityServer v6

Highlights Upgrade IdentityServer 3.1 to Duende IdentityServer v6 Migrate Identity.API to WebApplicationBuilder

[gunnars04]

+1

[TsengSR]

I'd rather see an OpenIddict/ASOS implementation. Duende isn't opensource anymore, as it uses a proprietary licence.

[chaddoncooper]

Yeah, bit of a shame it's using paid for/proprietary libs.

[SergiiKram]

I'd support the use of the IdentityServer 6. It's open-source and free to use for small businesses. And in many cases, you would still use IdentityServer 6 even though it's paid product due to its maturity and features. So better to have reference samples that we can later relate to.

[tebeco]

quid of the opensource part of FIDO2 / webauthn of Duende and related code then

they seem to push RockSolidSoftware for that which is not part of Duende IdentityServer it's also a fully closed paid system there's no open source or free for small company

so beware of where you draw the line

[TsengSR]

@SergiiKram

I'd support the use of the IdentityServer 6. It's open-source ... It's not open source, it uses a proprietary license as seen here

And in many cases, you would still use IdentityServer 6 even though it's paid product due to its maturity and features. So better to have reference samples that we can later relate to. That's your personal decision, but for 98% of usecases where IdSrv would be useful, you'd need to pay 12k USD for SaaS or straight to 25-50k for redistribution (which you have to in case of on-premise software). That's not something a lot of companies do (excluding mega corporations).

As a comparison: For 50k/year you can get whole CRM/ERP system on premise, with all components and business logic, not just a single (emphasis on a single) component.

OpenIddict/ASOS would be a more suitable alternative, since it's open source under MIT licence and not some proprietary license with no predictability of legal decisions.

[kevinchalet]

OpenIddict/ASOS would be a more suitable alternative, since it's open source under MIT licence and not some proprietary license with no predictability of legal decisions.

@TsengSR FYI, ASOS was merged into OpenIddict. For those who want the same lower-level/stateless experience, OpenIddict offers an ASOS-like "degraded mode": https://kevinchalet.com/2020/02/18/creating-an-openid-connect-server-proxy-with-openiddict-3-0-s-degraded-mode/

If it's something the team would like to explore, my DMs are open 😃

(note: OpenIddict is licensed under Apache 2.0, but it doesn't change anything to your remark)

[gunnars04]

I think IdentityServer is the most popular .net identity provider there is, so supporting IdentityServer 6 would make sense.

They offer a community edition for free unless you make more than 1M USD : "For-profit companies/individuals with less than 1M USD projected annual gross" https://duendesoftware.com/products/communityedition

[tebeco]

i don't think it's true is it popular ? sure do people actually uses it as/is ? no

you see a lot of Azure Ad or Keycloak it's eShopOnContainer so docker-compose is there for that and i think you'll find way more usages of keycloak in container than duende

[ruekart]

The dotnet team is also discussing about replacing the use of Duende with some other alternatives in their ASP.NET Core templeates, here are some of the threads:

https://github.com/dotnet/aspnetcore/issues/42158 https://github.com/dotnet/aspnetcore/issues/47286 https://github.com/dotnet/aspnetcore/issues/46131

And is actually in the roadmap for net 8 https://github.com/dotnet/aspnetcore/issues/44984 with this https://github.com/dotnet/aspnetcore/issues/47226

[kwaazaar]

I think it's fair to add that there is a reason why IdentityServer did not continue as a fully free open source project: without anyone actually paying/donating, it became impossible to maintain.

And with Microsoft actively pushing it with earlier versions of .NET Core, it would not have been unreasonable for MS to step in and in whatever way support them (pay, hire, buy, whatever) (to push us to AAD?). I'm not aware of any such actions, so it looks to me that MS is partially responsible for getting us in this situation.