Closed SIkebe closed 4 years ago
blowdart
commented
4 years ago .NET 5.0 will ship with IdentityServer 4 in some ASP.NET templates. As the IS folks have stated
We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.
Planning has begun for .NET 6.0 and we'll make an announcement when ready.
Aaronontheweb
commented
4 years ago I don't see why this is a big deal - still fine for ASP.NET Core to ship OSS templates that include IdentityServer4 under this license. If companies want great tools for solving problems as complicated and critical as identity management they should have no problem paying for it.
weedkiller
commented
4 years ago We need a new free option, this is a core component and cannot be outsourced to 3rd party companies.
THIS IS TOO CRITICAL
Aaronontheweb
commented
4 years ago We need a new free option, this is a core component and cannot be outsourced to 3rd party companies.
If you've been using IdentityServer all this time, you've already been depending on a 3rd party company. OSS software isn't about other people doing things for you for free - either roll your own, pick another technology, or pay the bill.
If you can't afford $1500 a year for IdentityServer4 to manage something as critical as identity for your business applications, drop them a line and let them know - pricing software products is a complicated business.
isaacabraham
commented
4 years ago IS4 will actually remain free and will be supported in line with .NET Core 3.1. It's only IS5 (as far as I'm aware) that will be commercial.
But the main point is right - if you don't want to pay for the future version of IS, just use the out of the box solution or roll your own. If you would rather not take on that responsibility and / or it'll be quicker to use a third-party package written by experts, then you can pay for them to do it for you.
I don't see the problem.
citizenmatt
commented
4 years ago .NET 5.0 will ship with IdentityServer 4 in some ASP.NET templates. As the IS folks have stated
We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.
Planning has begun for .NET 6.0 and we'll make an announcement when ready.
Can you link to the issue where this is being discussed, please?
hhariri
commented
4 years ago @weedkiller Funny how while it's been free, depending on 3rd parties has never been a problem...
blowdart
commented
4 years ago @citizenmatt "we'll make an announcement when ready"
SIkebe
commented
4 years ago @blowdart Thank you for your clarification!
citizenmatt
commented
4 years ago @citizenmatt "we'll make an announcement when ready"
Does "we" mean Microsoft, the .NET Foundation or the open source community?
weedkiller
commented
4 years ago @hhariri It used to be core part of the MS Stack back in early webforms/MVC time frames. However MS did not release the comparable component with an admin/UI, in the new ASP stack. So people gravitated towards that as a viable and that it was a free option.
From a financial point 1500$ in countries where they make less than 3$/day is not an option and a pain of the smaller business that you should personally exp. to understand. Many of these sites just have basic features enabled, with a large community
Also with this kind of a mindset other competing products like Wordpress on PHP have gained huge ground on ASP. Some day PHP and its frameworks are going to catch up.
Look at the search results, there are several several questions and issues just on this topic which are closed or unanswered with a heavy hammer. for e.g. 57 votes ASP identity -- https://github.com/dotnet/aspnetcore/issues/16534 https://github.com/dotnet/aspnetcore/issues/973
Looking through the issues..
there are several pertinent questions that are core to the stack, that are simply too hard for a developer to tackle on his own, and too crucial for any one to monopolize.
@citizenmatt please give us an option that's doesn't burn a hole!
weedkiller
commented
4 years ago IS4 will actually remain free and will be supported in line with .NET Core 3.1. It's only IS5 (as far as I'm aware) that will be commercial.
But the main point is right - if you don't want to pay for the future version of IS, just use the out of the box solution or roll your own. If you would rather not take on that responsibility and / or it'll be quicker to use a third-party package written by experts, then you can pay for them to do it for you.
I don't see the problem.
From what I gathered their site earlier this week, its free only till IS 4.x (current version). Everything going forward is Duende or something software and costs money from October, so they way I understand any development from here.. is commercial including bug fixes etc.
bladefist
commented
4 years ago IS4 will work until 2022 at that point you won't able to get security fixes, etc. They went enterprise pricing, there is no hobby pricing or "starter". They went from 0 to 60. It's ok, it's their choice, but we have a choice too. Before we migrate to one of the other FOSS systems we're waiting for Microsofts response to this. Surely this is a pivot moment to solve this internally for the framework. MVC1-5 came with auth solutions so I expect they will continue that tradition.
Json parsing used require 3rd party (at least if you wanted performance). That's internal now and far better. We'll see what they do.
adamhathcock
commented
4 years ago A full OpenID Provider has been built in. Not sure why it's considered necessary to have it now.
I get that IdentityServer going non-free sucks for some users but there are alternatives like OpenIDdict.
Begging Microsoft to make things like this distracts them from improving core functionality. Microsoft doesn't have to own everything dotnet.
pollumi
commented
4 years ago I get it that the creators need money so it is their decision whatever they want to do.
For the .net ecosystem it is a rather disastrous event. As a small company that has chosen IdentityServer because it is the "official" framework of choice, both according to Microsoft and the general community, you are now facing a lot of not needed and not wanted problems. Sure you can say, yes $1500 is not much in the business environment. But this is not true for all of them. For us it is a lot of money and also a lot of time that we have already invested. We now have to migrate to something different. In a healthy ecosystem, it should not happen that a pillar on which so many have built, changes the license so negatively.
Yes, open source is not about "free work" but you clearly want to have a .net ecosystem with all the basic tools that keep steady and have a very open license. It would have been better if they did the license change back then when they converted IdentityServer to .net core.
robertwt7
commented
4 years ago Begging Microsoft to make things like this distracts them from improving core functionality. Microsoft doesn't have to own everything dotnet.
Most of full stack framework out there has official package for crucial things like this (say laravel). Coming from other communities like php, node, etc, dev can build and experiment with everything totally free. This makes it harder for newcomers to learn aspnet core without the support from the community or microsoft officially
Edit: and yes its totally up to the creators if that's their decision
isaacabraham
commented
4 years ago For the .net ecosystem it is a rather disastrous event.
In a healthy ecosystem, it should not happen that a pillar on which so many have built, changes the license so negatively.
Here are some alternatives that may have come to pass without this move :
They stop developing identity server completely as it's not financially viable for them to continue it.
Support and ongoing changes dry up. You have a live issue and there's no one to help you out.
Also consider the difference now : The team may have more funds to invest in making the API and docs even better, saving you time and money.
In other words, positioning this as a negative move is perhaps a little short sighted. The current situation was probably unsustainable and this was no surprise to me when I saw the news.
You have until the end of life of netcore 31 which is next year, to plan for a migration strategy. As I understand it, IS4 will continue to work, it's simply not going to be updated.
I suspect that the time saving of paying the money will outweigh the cost of moving but you will undoubtedly know better.
adamhathcock
commented
4 years ago Begging Microsoft to make things like this distracts them from improving core functionality. Microsoft doesn't have to own everything dotnet.
Most of full stack framework out there has official package for crucial things like this (say laravel). Coming from other communities like php, node, etc, dev can build and experiment with everything totally free. This makes it harder for newcomers to learn aspnet core without the support from the community or microsoft officially
It's just one project changing a license. Yes, it's popular but there are alternatives. This happens in all ecosystems. They also have paid for things too.
The sky isn't falling.
Aaronontheweb
commented
4 years ago Sure you can say, yes $1500 is not much in the business environment. But this is not true for all of them. For us it is a lot of money and also a lot of time that we have already invested. We now have to migrate to something different. In a healthy ecosystem, it should not happen that a pillar on which so many have built, changes the license so negatively.
Having sustainable OSS projects is part of a healthy ecosystem. If not $1500, what amount would you pay?
If the answer is "none" then you're the problem.
jbogard
commented
4 years ago If you're hosting on Azure, you might look at its Easy Auth feature for App Services. That's free, too. We use that quite a lot for the "easy" scenarios. If your situation is complex, that's when you need something more powerful, and I don't see why it must be free.
isaacabraham
commented
4 years ago In fact you have until end of 2022 to move over. That's two years.
leastprivilege
commented
4 years ago @weedkiller @bladefist (and everyone else)
As @Aaronontheweb says, pricing a product is hard. If you want to give us feedback on the pricing and explain your situation, this is not the right place to do that.
Please contact us directly https://duendesoftware.com/contact
thanks!
HassanHashemi
commented
4 years ago Most of full stack framework out there has official package for crucial things like this (say laravel). Coming from other communities like php, node, etc, dev can build and experiment with everything totally free. This makes it harder for newcomers to learn aspnet core without the support from the community or microsoft officially.
Totally true, identity and access management should be baked into the framework as it is needed in almost any serious app.
pollumi
commented
4 years ago Sure you can say, yes $1500 is not much in the business environment. But this is not true for all of them. For us it is a lot of money and also a lot of time that we have already invested. We now have to migrate to something different. In a healthy ecosystem, it should not happen that a pillar on which so many have built, changes the license so negatively.
Having sustainable OSS projects is part of a healthy ecosystem. If not $1500, what amount would you pay?
If the answer is "none" then you're the problem.
Sorry, but this is just an arrogant statement by you. I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework. Again, I completely get that the IS devs neeed more money and want to be paid. But I (and a lot of other not so high profile devs like you) invested a lot of time into using this product since MS declared it the defacto standard. I don't expect some - again VERY BASIC - functionality in my tech stack to change the licence 180°. This is an absolutely not planned change that cost a lot of time and money. If this was a framework that helps solving some black magic math issues, I wouldn't have such problems. But we absolutely need fully FOSS solutions for the very basic things in every day life. And I don't agree that MS should't fill this gap here. It was their mistake to promote IS in the first place without making sure that it keeps the same license forever.
Aaronontheweb
commented
4 years ago I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
You don't need something as sophisticated as IS4/5 for simple use cases - there are numerous other libraries that are free. We're using Microsoft.AspNetCore.Identity in our application, which is already built in and matches your requirements exactly.
poke
commented
4 years ago I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
pollumi
commented
4 years ago I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
You don't need something as sophisticated as IS4/5 for simple use cases - there are numerous other libraries that are free. We're using
Microsoft.AspNetCore.Identityin our application, which is already built in and matches your requirements exactly.
We have 2020 and those features should be something that should be absolutely solved in a standardized way and freely available in a famework:
Again, the point here is that we invested time and money in solutions using IS for those things. Because MS said this is the way to go.
We are still in a crucial situation with .net and hoping that it gain more ppl using it. Also if Blazor should gain traction something like this just doesn't help.
clooge
commented
4 years ago I get it that the creators need money so it is their decision whatever they want to do.
For the .net ecosystem it is a rather disastrous event. As a small company that has chosen IdentityServer because it is the "official" framework of choice, both according to Microsoft and the general community, you are now facing a lot of not needed and not wanted problems. Sure you can say, yes $1500 is not much in the business environment. But this is not true for all of them. For us it is a lot of money and also a lot of time that we have already invested. We now have to migrate to something different. In a healthy ecosystem, it should not happen that a pillar on which so many have built, changes the license so negatively.
Yes, open source is not about "free work" but you clearly want to have a .net ecosystem with all the basic tools that keep steady and have a very open license. It would have been better if they did the license change back then when they converted IdentityServer to .net core.
@pollumi I agree with everything you said 💯 this is a pretty core function to the Microsoft Stack, had they done it right in the first place it would have never been issue today.
Also @Aaronontheweb is out of line with personal comments like that. What an idi0t, not ok, just because he dont agree with someone else view.
Why is this closed?!
jbogard
commented
4 years ago If folks wanted this to be free, perhaps they should petition MS to sponsor the project at a level that would ensure that?
hallidev
commented
4 years ago I just want to throw my hat in because I keep seeing the $1500 number over and over in this and other threads, but I can't see how this would apply to anything but the absolute most basic IS4 implementation.
I'm putting together a solution that uses IdentityServer4 for a relatively small startup. We don't have a problem paying to support the project, which is what we thought we were doing when we paid for the Enterprise AdminUI license at $8400 / year:
https://www.identityserver.com/products/adminui
This was a stretch for us, but we chose it over similar open source projects like https://github.com/skoruba/IdentityServer4.Admin to financially support the IS4 project.
The per-client licensing model of Duende IdentityServer is what's going to make this untenable for us going forward. Let me describe our clients:
1: AdminUI (which alone is $8400 / year) 2: AdminUI Webhooks 3: Delegation gateway 1 (https://docs.identityserver.io/en/dev/topics/extension_grants.html) 4: Delegation gateway 2 (different use case, same idea. Can't be the same client) 5: Worker service 1 6: Worker service 2 7: Worker service 3
...
As you can see, we've used 7 clients (2 of which are required by the IS4-affiliated product we're already paying thousands a year for) before even getting to the part where a single actual website or mobile app exists.
Worker services (client credentials grants) come online at an alarming rate, and they're generally dead-simple pieces of code, sometimes the entire service is 100 lines of code.
I don't know how other shops are handling IS4 clients, but using Duende IdentityServer will immediately put us in the Enterprise tier at $12,000 / year, putting our total cost at over $20k / year.
I wanted to point all of this out since people may read these threads thinking "I can swing $1500 / year". I'd be shocked to find out that our setup was unique in the number of clients that end up being created. This client based pricing model is going to immediately price out many startups like the one I'm working with.
The IS4 authors deserve to be well compensated and I hope Duende IdentityServer is a success for their sake, but I'm also hoping they introduce something like a per-user pricing model.
Aaronontheweb
commented
4 years ago That's great feedback @hallidev - exactly what the Duente dudes need to hear in order to get their pricing right
isaacabraham
commented
4 years ago Sorry, but this is just an arrogant statement by you. I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
I don't expect some - again VERY BASIC - functionality in my tech stack to change the licence 180°.
Is this really so basic? If it's such a simple thing to do, Brock and Dominick wouldn't be able to create such a product - and you wouldn't be so disappointed at the move to a commercial model; you'd simply roll your own, or fork IS4 and continue from there.
Clearly there's complexity in auth in general and within IS, and let's not pretend otherwise.
mov-eax-eax
commented
4 years ago what about non-for-profit organizations?, the rationale here is that everyone is using this product for commercial, profit, not all of us work like that.
For the dotnet team, could be nice to have some guidance on how to integrate aspnet identity with an openid free/paid provider to offer the idp role.
it could be hard to keep with the new licensing model since the new company dont have sales/marketing rep in our country, is an us-europe centric target they have, and duende name wont fly around here.
i still have hope than in the next couple of years some higher up in microsoft get it and buy this excelent product, like they did before with dundas, minecraft and a lot of strategic assets.
NickDarvey
commented
4 years ago It's definitely not basic, it's incredibly valuable.
I think one of the tricky things with the pricing is for startups. An STS might be one of the first bits of infra you set up, and at this point your business is surviving on free trials and any credits you can wrangle from developer evangelists. IS definitely kept me coming back to dotnet even if we weren't planning to use it elsewhere.
I wish Microsoft would have sponsored the hell out of it so Brock and Dominick didn't have to worry about any of this. IS has done a lot for the dotnet ecosystem.
kilasuit
commented
4 years ago I don't have a great amount to add to this other than the below.
I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
Identity is ANYTHING but basic, and many get it so incredibly wrong & make it very easy for their applications to be breached.
Like many others have said there are other options available
qstarin
commented
4 years ago The per-client licensing model of Duende IdentityServer is what's going to make this untenable for us going forward.
For me it comes down to the large step functions in price, and particularly the single vs. unlimited issuers. I need multiple issuers. That puts me immediately at $12k/year. The 10 client limit is also too low in general. I'd fit under it right now but likely won't within a year or two.
$12k/year for self-hosted OIDC is also just frankly hard to stomach relative to what we pay for other licensed software components.
I'd be much more amenable to pricing that scaled linearly instead of this $7000/year jump between 10 clients and 1 issuer to unlimited. From what I can see, there's no other value add at all to the Enterprise Edition - simply the ability to go beyond 10 clients and 1 issuer.
There's pricing we'd be happy to pay to support the project and maintain our integration investment, but this isn't it.
y2k4life
commented
4 years ago Was this project sponsored by Udelt, Microsoft, Ritter Insurance Marketing, and Knab? Was there not enough sonsorship money? This list goes on Sponsors. Was this more of a thought that they can make more money by overpricing it for even the smallest of projects?
hhariri
commented
4 years ago @y2k4life Maybe before you jump to conclusions or imply things, find out all the details.
leastprivilege
commented
4 years ago Again. thanks for all the comments and feedback.
This wasn't an easy decision for us, and we are still in the process of finding the right balance. The more data we have, the better.
Please contact us directly via https://duendesoftware.com/contact
@hallidev @qstarin
@y2k4life I broke down the exact sponsorship numbers on my blog https://leastprivilege.com/2020/10/01/the-future-of-identityserver/
pollumi
commented
4 years ago Sorry, but this is just an arrogant statement by you. I absolutely don't want to pay anything extra (yearly!!) for such a very basic thing like identity in my framework.
I don't expect some - again VERY BASIC - functionality in my tech stack to change the licence 180°.
Is this really so basic? If it's such a simple thing to do, Brock and Dominick wouldn't be able to create such a product - and you wouldn't be so disappointed at the move to a commercial model; you'd simply roll your own, or fork IS4 and continue from there.
Clearly there's complexity in auth in general and within IS, and let's not pretend otherwise.
Having all the building blocks freely available to flexibly secure an API including a token provider is a very basic requirement of a modern ecosystem. Basic doesn't mean non-complex.
I'm disappointed that such a basic functionality now requires lots of unplanned work and time. It was considered a done thing in my (and I'm sure in countless other) services.
Yes in the dark ages I actually created a /token endpoint myself. But as we all agree upon, that is something you don't do anymore in 2020. You let the framework take care of those things that you just really need if you have API services. Which I guess is not that unusual. Just basic use cases.
Maybe Keycloak can fill the gap but I actually absolutely love having a .net only stack.
clooge
commented
4 years ago I agree you got to get paid, but I think this has turned out to become an exploit by Duende with Microsoft Complacency. Sad to say it, but with timing it boils down to being opportunistic, adoption was very low till the fantastic/free Skoruba.Admin GUI kicked in which is what really made it popular.
In many ways the lacking Full reference implementation including the GUI component in the identity management reference implementation/template is what creates a lot of confusion, If you look on Stack Overflow there are many many question handling identity and user/roles/claims management.
[ ] So many versions of evolving membership management, so basic things like user management/retrieval etc is very complicated for the average developer like some have stated here
On uservoice before it was bought out by Microsoft, it was top 10 most voted (before it was closed by Microsoft) requests for Identity Server & Management like the earlier web forms version had provided.
And here there was very little activity before @jskoruba put up his free admin GUI
poke
commented
4 years ago If you look on Stack Overflow there are many many question handling identity and user/roles/claims management
Yet, none of that is directly related to IdentityServer.
Don't confuse ASP.NET Identity with what IdentityServer does.
adamhathcock
commented
4 years ago If you look on Stack Overflow there are many many question handling identity and user/roles/claims management
Yet, none of that is directly related to IdentityServer.
Don't confuse ASP.NET Identity with what IdentityServer does.
I think a lot of people are confused and have been for a while.
The name IdentityServer is so generic that people thought it was required. It doesn't help at the official docs saying "Identity with SPA" is a how to with IS4. That's so overblown and doesn't acknowledge the cases of when to use OpenID and when not.
Just found this out on a Reddit discussion today: https://www.reddit.com/r/dotnet/comments/j4wl93/question_about_jwt_implementation_best_practices/
Aaronontheweb
commented
4 years ago @clooge you realize that's a commit graph, right? That has everything to do with the amount of code changes being committed and none to do with how often the project is adopted by end-users? Plus those code changes are overwhelmingly committed by the two original maintainers of the project
Then again, I'm not surprised users with blank Github profiles might be confused by how OSS is actually produced.
Bringing this back to ASP.NET Core - Identity is already built-in. As @poke explained very well:
IdentityServer is only tangentially related to Identity management. It's an identity provider which is still a special thing you likely don't want to put into every other app.
Identity management itself is built into the framework with ASP.NET Identity. That is completely unrelated to what IdentityServer offers though except that it integrates well into ASP.NET Identity.
Other platforms actually often don't have solutions like IdentityServer, especially not built-in. A common alternative that I know of is Keycloak (which you can easily use for your .NET apps as well).
If the issue at-hand here is that now you have to migrate IS to something else, guess what:
blowdart
commented
4 years ago We're done here and I'm locking the issue. Some of you were hopping over the line, some of you hopped over it, sprinted in the wrong direction and then threw things from 2.7 miles past the line.
In any case, this is not the venue to discuss Duende's pricing, what open source means, and whether Microsoft should produce everything and kill off the .NET open source ecosystem in the process. After all, one of the reasons we went with Identity Server in the first place was the community reaction to our suggestion we produced a simple authorization service, and the loud and clear message we shouldn't try to reinvent something that already had a good open source solution.
Once .NET 5 is done and dusted I'm sure we'll have senior msft folks come up with an appropriate venue for a wider discussion over some of the issues
I will remind all of you we have a code of conduct.
Currently, some of the ASP.NET Core templates use IdentityServer4. How the above announcement affect? ASP.NET Core 5.0 will be shipped with IdentityServer4?