License changed to Strongloop?

[asanchezdelc]

What's the deal with the new license? this repo still heavily uses the oauth2orize module? Any information in regards to this matter will be great. Thanks!

[JonnyBGod]

Same doubts here, what is the plan for this component? Will it be a subscription only component or will it be possible to use as a community component?

At the moment I cannot even figure out how to enable it... When checking the licenses page in Arc it says that "Strongloop Gateway" is coming soon and no license is available.

The impression I had was that the Gateway would be a paid product while the component itself would be free.

[wascou]

+1

[mbenaissa]

+1

[PuKoren]

+1, can't udate the package to v2, licence blocks startup and there is no way to get the licence in Arc ("coming soon")

[claylo]

Luckily for us, we can fork at 2.0.0-rc3. See CHANGES.md

https://github.com/strongloop/loopback-component-oauth2/commit/2422c47d9a80928c895200cafc170dc86b184fe0

[PuKoren]

Well we can fork anywhere and just remove the require('strongloop-license') in lib/index.js but it would be great if they remove the licencing on this module since they version another open source project code in it

[claylo]

@PutKoren I'm not sure that's true. I skimmed the license file enough to see that it would take an unflattering view of what you propose. Cleaner to just fork it before the license change.

[raymondfeng]

• The loopback-component-oauth2 module has been evolved into an enterprise feature. It was built on top of oauth2orize which only implements the basic oAuth2 protocol (dealing with HTTP req/res for oAuth2). We have put significant efforts to make loopback-component-oauth2 a fully-fledged oAuth2 provider. Such enhancements include:
  • oAuth2 metadata (client app, user, token, code, scope, permission) management and persistence
  • much more validations based on the metadata, for example, each client app can be constrained for certain features
  • token revoke endpoint
  • JWT
  • MAC token

We change the license to better support the module in a sustainable way. We'll continue to invest resources to maintain and build this module to be a robust oAuth2 provider.

• To get your trial license, please contact sales@strongloop.com. We love to hear your use cases and work with you!
• The versions (<=2.0.0-rc3) before the license change are still under Dual Artistic-2.0/StrongLoop. But you can NOT fork the current version (>=2.0.0) and remove the license check as @PuKoren hinted. The other option is to use oauth2orize module directly and add your own plumbing.

[altsang]

as @raymondfeng pointed out, if you only need Oauth2, you can use oauth2orize or fork at a prior version, the commercial features asked by our customers were built on top of the component for our Gateway to handle backend pass-through auth and identity.

We have starter subscription packages for individual devs and small startups a like.

[asanchezdelc]

@raymondfeng @altsang Thanks for the clarification. I went ahead and forked the repo at an earlier commit as suggested, located here: loopback-oauth2orize

[claylo]

@raymondfeng @altsang I'm curious why you guys didn't go with a dual license on this component, as you have with others. Why did this one get special treatment?

[asanchezdelc]

@claylo I would think that somehow they need to make money and oAuth2 falls in their "paid" subscription model. StrongLoop Pricing

[claylo]

@qbanguy Red Hat makes plenty of money and have not had to resort to yanking the open source heart out of their flavor of Linux. CentOS keeps the pace quite nicely with RHEL, and that doesn't impact Red Hat's bottom line in a noticeable way.

It does feel sneaky. The component was developed all along with input from users like you and me, under the guise of contributing to an open source library. yeah, we can keep on with your fork, but it's just a poor choice on Strongloop's part. Did the Enterprise JavaScript world learn nothing from Sencha's similar licensing snafu a few years back? Apparently not.

[asanchezdelc]

@claylo Can't agree more.

[altsang]

heard loud and clear @claylo and @qbanguy - just speaking from my POV we've contributed a lot of OSS and most of it has been either MIT or dual licensed.

There wasn't anything intentionally deceptive. We could've created a separate private commercial fork, but in the interest of our company - we need to able to show we have these enterprise capabilities. That being said I can understand why it's been perceived that way. BTW - most of the the input where we flipped the license was done after being onsite with customers for their features. We're an early stage startup. If we had the user base of RHEL for RH or Spring for VMWare we probably wouldn't be worrying about the bottom line. Candidly - we've found that we've release a lot of functionality that folks have used without benefitting ourselves commercially. What to do about the other way around - that's our challenge.

[JonnyBGod]

That is all true and all of us would love to see you thrive. The problem here is that yet again you take this decision lightly, without any consultation to your user base and contributors and with zero preparation time.

When I find out about something like this through an error in my console, SOMETHING IS REALLY BAD.

This is not the second or third time you make decisions like this and a lot of us have invested a lot of time with your framework just to feel deceived every now and then.

Just another point to try to help you out with your business model, it is impossible for you to monetize on something that I can use by simply commenting one line even if against your licensing. If you are trying to do it you will fail for sure.

Make services with your opensource software. Arc is a good example, the rest is just a no go.

What is the point in saying "you can do your own" anyway? Are you saying copy us but not literally? You will just loose your community and they will start competing with you. So good luck with it...

[claylo]

@altsang You'll notice that the companies you cite didn't pull the licensing rug out from their initial user base in the name of generating revenue sooner.

I get struggling startups. I even get struggling startups in the API gateway world, as a co-founder of Mashery. The fact remains you guys went into the open source enterprise software business, presumably with the intent to generate revenues by value adds such as debugging dashboards, production monitoring, strong-pm, support & training, etc.

It's not as though the need to generate revenue on the back of open source software you're contributing to snuck up on you.

Its a risky move that doesn't guarantee a boost in revenues you couldn't have gotten through support contracts ... but it does guarantee some pissed off developers. You've made your choice.

I would argue it's not too late to solve by dual-licensing. If you choose not to dual-license this component, don't be surprised if the open source community doubts you in the future. These are the types of moves that burned Sencha's house down. "Guys, we're getting some traction! Quick! Set the house on fire!" It just strikes me as a very short-sighted decision with a clear downside and a very debatable upside.

Yes, it's your challenge. You knew that when you guys launched the first package. So while I sympathize with the strapped part, please don't bullshit us on it being some kind of emergency ripcord you needed to pull in order to save the business.

We're all grateful for the OSS you guys have contributed, MIT or dual-licensed, which is why we have all contributed patches and gotten behind you, building services on unstable software and providing feedback. It was for the benefit of all of us ... but for some reason you still have not clearly articulated, the OAuth2 component somehow qualifies for special consideration in a license change.

You gotta do what you've got to do. But while thinking of the interest of your company, don't forget its the open source supporters like those on this thread that built the kinds of libraries you guys forked to build the LoopBack stack in the first place that keep you afloat. We're the guys who carry the sway with the companies who write the enterprise licensing checks. Are you certain you want to deliberately cause us to start questioning your intentions? To wonder if you'll yank the licensing rug out from under us with the next release of some component?

[asanchezdelc]

I invested lots of time learning the docs and you structure specially your examples. I even forked your loopback-gateway2, because it did not work with this component.

Anyways, after seeing the license change without notice, it was a big flag(no-no) for us. The funny thing is that we were going to use StrongLoop services in the long run. However, the way you handled this made us go with another framework.

[altsang]

I don't make the call on the licensing. As an OSS supporter and a member of this company I understand both areas and am vocal in advocating both view points both internally and externally.

Again, there's no deception on my part nor that of SL's part, so I don't see the need to callout for "bullshitting" anyone - but your remarks and choice of diction are your own. One would hope that with all the good we do with no angle to ever monetize that you'd be given the benefit of the doubt. No such luck I suppose on the goodwill of this representative set of the community.

I'm more than happy to see if this component can be made dual licensed.

[thpham]

it's really not cool, I invested couple of days with a prototype. I removed the trial licenses and I see my project is unable to work without ... why there is no message on the readme page that tell us this component is not under license !?

[itamar-Cohen]

hi, insted StrongLoop API Gateway i reccomend https://tyk.io it is open source, self-hosted, full-featured API management, gateway, dashboard (close source but free to use) and host manager

[BoLaMN]

Hey All,

Ive been working on an open source oauth2 component to solve this issue. its not complete yet but its starting to come together if anyone wants to check it out go look at my github repo.

[chris-hammons]

Hello all,

It looks like the license has now changed to be "Property of IBM IBM StrongLoop Software Copyright IBM Corp. 2016". With this new license, can this component now be used as is with a loopback project not on apiconnect at no cost? Or does it now require a subscription to apiconnect to use it at all?

[chandadharap]

This was most likely oversight on our part when we moved to another org. @raymondfeng can we make this MIT. Feel free to assign to the correct person to make it happen. @rmg FYI.

[raymondfeng]

+1 to switch back to MIT license. I think the circumstance has changed since 2015.

[superkhau]

PR at https://github.com/strongloop/loopback-component-oauth2/pull/61

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.