search

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.59k stars 461 forks source link

License Confusion #475

Open rcludwick opened 2 years ago

rcludwick commented 2 years ago

At work, there's confusion around the license. It looks like it's open source BSD license, but the website says the it's BSD only for open source projects. I believed that's been fixed in the repo, but not the website.

I believe two things will solve this.

  1. Remove the commercial license from the repo and move it to the website or clarify the license is for commercial support only.
  2. Clarify that all projects may use the BSD license, but that purchased support will follow the commercial license.

It's a great library. I'd hate to not use it because of this.

bjmc commented 2 years ago

I know developers don't always control the purse strings, but IMHO if your company is making money using free software, you should just pony up for a commercial license to support the authors of that software. Getting cheap about this stuff is how you wind up with two part-time devs maintaining core infrastructure out of the goodness of their hearts.

rcludwick commented 2 years ago

@bjmc

I think you're absolutely spot on here. And that's a conversation that needs to happen with managers, not typically the devs -- because as you say, we don't hold the purse strings -- and I certainly don't here.

But as I understand the license terms of this project, purchasing of commercial support is not required for commercial use. And that's what I want clarified.

Otherwise this project is not open source under the various definitions of open source software.

lepture commented 2 years ago

As said on readme:

If your company is creating a closed source OAuth provider, it is strongly suggested that your company purchasing a commercial license.

No confusion from readme.

rcludwick commented 2 years ago
  1. We're not creating our own closed source OAuth provider. We're using the client functionality. For an oauth client $1000/yr is too much.

Also It should be pretty clear I'm using the django_client from this github issue in 2020.

https://github.com/lepture/authlib/issues/216

  1. The website says this:

Authlib Licenses Authlib offers two licenses, one is BSD for open source projects, one is a commercial license for closed source projects.

https://docs.authlib.org/en/latest/community/licenses.html

So license lawyers read that and it's pretty clear that if true, then your software really isn't OSS.

I recommend you using the same language from the README on the website.

v3ss0n commented 1 year ago

Then , if i start a startup project using authlib , just for Social Login do i have to pay? I won't even know if i would make money or not.

lepture commented 1 year ago

@v3ss0n You don't have to. Just choose the BSD license.

v3ss0n commented 1 year ago

Oh , then thats great , we have confusion in opensource community with permissive licensing , should we use yours or not. Better clear it up somewhere in which cases , it is not eligible for this lib to be used. Like for example Building A competing Close Source Product like Auth0 that uses your library and sell. (I think thats the case?)
I had mentioned about this case in below topic , in case you want to explain.

rcludwick commented 1 year ago

I think this sums up the situation perfectly.

https://github.com/starlite-api/starlite/issues/878#issuecomment-1483264075

Website says one thing. Pypi says another. This comment thread says a third.