ASP.NET Core 6 and Authentication Servers Discussion #32494
Comments
blowdart
added
area-identity
|
👀 |
|
Ugh, Being one of the many that opted to use Identity Server due to its Open Source nature, it just really feels like a bait and switch especially since the project was included in official templates and used in the official .Net Core documentation. Really wishing I hadn't opted to use it. |
Is this true? The wording in their license makes it seem it's only free for one year. |
|
I'm moving my ASP.NET Identity projects to use https://github.com/openiddict/openiddict-core |
|
@DavidZidar they had seen and approved the wording so I presume it's correct. Clarity could come from @leastprivilege |
|
Is it not possible for Microsoft to provide some continuity for those of us who used the IdentityServer samples in good faith? I can understand where the developers are coming from, as I've been in the same position myself. You can find yourself doing a lot of unpaid work maintaining a code base, and it doesn't lead to enough consulting revenue to justify it. At the same time, it seems unfortunate to say the least that people who relied on the ASP.NET samples are now in the position of having to pay a third party for a licence. (That is, once the current edition of IdentityServer becomes EOL.) All that is really needed in my opinion is for any security issues with the IdentityServer4 series to be addressed, and for it it be ported to future releases of .NET. It's fair enough that if you want new functionality, you might have to use a different package with different licensing terms. I can't imagine that it would be a huge expense for Microsoft to take on the maintenance role for IdentityServer4, and perhaps they could even pay the current developers to do so? |
|
As stated we are not authentication experts, we have no expertise in writing or maintaining an authentication server. We have a team at Microsoft dedicated to that, and they produce AAD. The .NET team will not be writing production ready authentication servers, both because of the cost in that and because in doing so it's likely we'll cannibalize users from existing open source projects, something the community was very vocal in wanting us not to do when the initial discussions around IdentityServer inclusion was started. We explored options around IS4 with no outcome we felt comfortable with. Templates are meant as a starting point for you to go forward from, and that going forward should include reviewing what authentication options are safest, and best value for you. |
If your company or organization makes less than 1M USD per year then it's free. |
|
I also think it would be better to: a. remove the sample nothing against duende, but if they are paid they can also create a easy to use template by themself, no reason to put effort into maintaining it. |
|
@brockallen Thank you for the clarification. Your license is using the wording "for one year" and it is not explained further which is confusing. |
I think you're conflating "Open Source" with "free". I have several quite popular OSS projects, and I do next to zero work on these for free. If one of my projects dies, it's because no one wants to pay for me to maintain it. I suppose that's a form of bait and switch, but I'm not doing free work for people. If you want these OSS projects to survive/thrive, I suggest you find a way for your place of employment to support these projects financially. |
I've been searching for a long time for a lightweight .NET solution providing this kind of service. In Nodejs land, I'm relying on oauth2-mock-server which is pretty interesting from an automated test standpoint, especially in the way it allows to dynamically tweak the auth server behavior. @blowdart Is there an issue tracking this OIDC dev/test tooling investigation to which I could subscribe to? |
Sure, then you renew the license and if you're still under 1M/year you can still use it for free. Hope that helps. |
|
@nulltoken Not yet, planning for 7 hasn;t even started :) |
|
@schmitch I'm afraid the decision is made. We are sticking with IdentityServer. We won't be removing samples, or switching to OpenIddict. Of course the community is free to make its own templates around OpenIddict if you don't like what they provide. |
We are a small company from Argentina, the limit of $1M USD is fine, but "5 clients" 😞 |
If you want but you must warn the user that to use it in production it will need to pay 1500 usd by year. I assume default template cannot contain paying solution. And i'm pretty sure i'm far from being alone.
What are the other existing Open Source projects you fear to canibalize. I fear i know none.
And i agree with you on the fact it's a project quite complex since it need to have specific expert to maintained. That why they can make you pay 1500 + 300 * UserCount usd by year. Because they no there will not be any other solution for those who been bait. What i found funny is that for Json serializer you hire the Author. So there is a solution...
Maybe but i remember when i start programing before dotnet core before DNX back in 2010 i read a post about .Net framework being openSource just because there where a few file on a web site. Well the community did not consider .Net framework open Source and i still don't. It's free there some file publish. But it's not open source if you are not really open source.
Yes and there is several solution to get payed. ReactUI lived for years. And even if they are coupled with MS as i understand they are not financed by it. And use a lot of way to be financed.
Sorry i thougth this issue was intended to discuss a subject. Are you saying we are not allow to talk. I understand the decision was made but the point of us (At least for me) to respond is to make sure you understand that we do not take the fact lightly and it's a really important lost and we hoped to find a solution together. Personnaly i don't ask for you to make an identity server from scratch or even to support it alone. But there is other solution like :
One of the reason why .Net framework was not consider Open source was not only because there were not all the file. But also because you cannot discuss to find other solution. To me communication is the point of open source. Sorry it was a bit long response. |
|
@GeraudFabien When I say the decision is made I mean you are free to discuss it, but discussion will not change the decision. Microsoft has an identity solution in AAD, which is free for up to 500,000 objects, and that's where the specialists are. We in .NET provide frameworks for you to build solutions on. The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't. IdentityServer gives an f5 runnable scenario which is something the community tells us is important. The licensing for commercial use hopefully makes it a sustainable open-source project too. |
it isn't open source.
openiddict, is too.
yes, but you should also not promote the one which is not open source (especially if there are two)
uf that is a clear stance, on something so simple as a template, which can easily transfered to duende and they can easily provide a simple way to install them, like dotvvm does (also commerical, at least some parts). |
As i say that not what i ask. I just ask for a solution and a documentation for smaller project that can't use this solution. Awesome dotnet doesn't have other solution. So what solution is there to have a server. And that also why the fact to use it on the template is also a bad idea since the template is also use has base for small project. @schmitch isn't openiddict only a client? From my souvenir it didn't do server. |
|
RPL licensed code is accepted as an open source license. Of course, the community is also free to fork IdentityServer4 and continue to patch it, but we wouldn't switch to magically. As for moving a template to Duende, sure, that's possible, but then you end up with no spa authentication templates, or webapi authentication templates at all, as, like I said, we're not using another server, so your solution would mean no templates until you take a guesture, which makes it hard to discover. |
their licens is not the RPL. their license is:
@GeraudFabien it's a server, a client would be identitymodel |
@blowdart : we're discussing potential ways-out of this situation. So, I'm trying to estimate how feasible and realistic is option of simply continuing to support IdentityServer4, if new maintainers are found. No? |
|
That's still a community question rather than an aspnet one. The .net has no interest in forking or maintaining IdentitySever. |
|
"Simply" Browser security standards change and evolve constantly as do the client/server protocols. There is nothing simple about any of that. This isn't updating target frameworks every year or so on your spare time, it's several full-time jobs, as has been proven. |
|
Duende made their decision. Microsoft respects it and as I've said we already have a product in AAD which we believe offers a safer experience than having an app hold its own credentials. If the community wants to fork identity server they are free to do so, but Microsoft will not do it as, like we stated, we'll be looking at removing any local production focussed oauth service from all templates. Again the community can, of course, produce community templates which integrate OpenIddict or any new auth server. |
|
@blowdart "as I've said we already have a product in AAD which we believe offers a safer experience than having an app hold its own credentials." Saying everybody should just switch and use AAD is too simple IMO. AAD isn't for everybody and has also some negative sides (besides many positive). Without the Identity Server templates for (for example) Blazor WASM & Web API Microsoft doesn't offer any template anymore for authorization/authentication with a local DB. I just can't imagine this is what Microsoft wants, specially now that .NET 5/6 is attracting so many new devs. Furthermore oauth isn't the only way that leads to Rome, there are easier (and pretty safe) solutions like this one from Chris Sainty. My question is: besides oauth is Microsoft thinking about templates (or docs) like the one from Chris Sainty |
And this sort of sales mindset is exactly what makes MS a poor custodian of .NET Foundation, riddled with conflicts of interest with CEOs agenda (mind you, in desktop side of .net this conflict is even worse than here, they are openly hostile to any attempts to advance and port desktop development). If .NET Foundation is just a front store for sale of Azure services, you should at least go ahead and admit it so people can plan accordingly for being dependent on you, don't spin this like you are doing us all a service by savings us from the perils of data protection while in reality you are doing a sales pitch for vendor lock-in (and once credentials are stored in AAD, it becomes a vendor lock-in). This all reads like some bizarre EEE story in "open source", executed with all the elegance of an elephant in a glass store. No wonder there is so much resistance even from server side Linux crews to adopt .net core. Everyone is literally expecting the masks to fall off. Just my 2 cents, but I suspect you are already aware of the emperor's new clothes. Now, let the fanboy pushback begin... |
Especially new devs should avoid thinking that they need a custom authentication server. Despite what everyone appears to think, having to roll your own identity provider is a special thing one should only do if you actually know and understand the consequences (and security implications). @the-black-wolf We got into exactly this situation exactly because all those consumers of open source not giving a shit about the maintainers they continued to rely on. Don't compare this with other foundations which exist with a more healthy open source ecosystem where commercial offers are totally normal and accepted. But no, when this happens in .NET, people complain that Microsoft should provide these things for free — but without them looking for avenues to actually sell anything. |
|
@poke I'm not talking about an auth sever. Click the second link. |
|
@JeepNL ASP.NET Core Identity is a very different thing than IdentityServer. The former is not going away so if that's what you are talking about, you are misunderstanding this thread. |
|
@poke Thank you for your nice comment. |
|
I really don't have the time (and the energy) for this,. Man oh man, what is it with these devs. Goodbye, |
@JeepNL amusingly, Chris' blog post is actually all about OAuth:
It's also interesting to note that Chris used
@the-black-wolf very interesting: I got renewed as a MVP a week ago - like most other MVPs - and this is exactly the criticism I made regarding the MVP program 😃
@blowdart well, that kind of contribution could also come from Microsoft, no? When I read https://github.com/microsoft/dotnet/blob/master/docs/ecosystem-issues.md last year, I really hoped the Microsoft-OSS community relationship would stop being one-way. Things had largely improved when MSFT decided to use and sponsor a third-party OSS project like IdentityServer so it's sad to see the situation is now regressing. Fun fact: soon after my ASP.NET Core 6 and authentication servers: the real bait and switch is not the one you think post was published, I received a few nice emails. One even suggested that projects like OpenIddict should be sponsored by Microsoft, just like IdentityServer was (and still is, actually). I doubt it will happen due to politics, but I would be very happy if MSFT contributed more to third-party OSS projects: not necessarily by giving money but also by dedicating a little bit of time to these projects. The truth is they don't: I asked for help to implement Project Tye in the OpenIddict samples (I asked on Twitter and emailed someone from the ASP.NET team): nobody offered to help. Even the very few GitHub tickets I open - like dotnet/runtime#52611 or AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1641 - don't get much traction. |
Nothing against the dotnet team, as the work they're doing in the space is incredible, - but the AAD product is ... lacking at best. It's slow, clunky, and error-prone, and I've found numerous glaring issues with it even when using it in Microsoft's own products. If you can't get a seamless AAD experience in the Azure Portal, then there's no way in hell I'd trust or recommend it anywhere else. The beauty of offerings like Identity Server were the performance and ease of use they offered. You're absolutely right that security/auth requires specialists, and that's exactly what @brockallen and his team are. If anything, I'd prefer to see Microsoft support the Identity Server team (and others like them) more, so they don't need to resort to a paid commercial model, or at least help subsidize the license. The internet is growing more and more security conscious, and you're giving up a gem if you let Identity Server fall to the wayside. AAD has way too much baggage for most use cases. There are places where it's appropriate, but for the majority of users - their new startup isn't it. Nothing screams "security" like Microsoft Support spending weeks failing to assist us when we deleted the only account that had the super-duper-above-owner-above-co-administrator-above-administrator-no-this-role-is-more-elevated-than-all-the-others role. What did work? Me re-creating the email address on gmail, and signing back up to Microsoft with that account. Voila - the account we had deleted was suddenly super-duper-admin again - back from the dead. I'm still locked out of billing on half our subscriptions - despite being a billing admin (different account). Nothing screams "user-friendly" like 20,000 default roles to choose from. Ah fuck it, just give them all And to be clear - yes, I realize there's a reason/purpose for all those roles, but like I said - there's a time and a place. Hell, even just hiding roles that have no impact on provisioned resources would get rid of 19,980 roles, and leave things looking much less intimidating. You shouldn't need to hire Microsoft Professional Services to figure out your Security Roles, just like you shouldn't need to hire Professional Services to figure out Licensing costs - but that's what Microsoft is good at. |
@poke I'm afraid you're misunderstanding each other. What @JeepNL is saying is that Microsoft should create and maintain templates and guides for auth, with multiple OAuth providers other non-OAuth scenarios. I agree completely. After all these comments, I think much of this issue can be resolved if there were a comprehensive set of docs and templates that have working auth setups with a multitude of providers - with clear notice about free, open-source, commercial costs. It would help steer people (both novices and experts alike) to the best choice for their situation without hunting around for blog posts and github threads, and it's far less work than maintaining an entire library. Perhaps still more than what the MS team is willing to do, but I think it's the best compromise for all involved. |
|
Why is MS the one that's supposed to fund this? They have a product already, why would they build two. MS could of course dump money into the .NET Foundation, or take over projects, or put out their own library. None of those leads to a healthy OSS ecosystem. What makes a healthy OSS ecosystem is the community. If your company benefits from .NET Foundation projects, why isn't your company a sponsor? I'm a .NET Foundation member, and my company pays my annual dues. If you're only a consumer, you're not truly participating in the community. |
@kevinchalet Oops, my bad. I think I should've said 'OAuth Servers' or perhaps "Token Servers" like Identity Server and OpenIddict. It's actually your blog post, which I've mentioned in that comment (first link) why I wrote an extra comment here. I don't particularly enjoy this thread, and I've read each and every comment and wrote a couple. I would like to have a template (or docs) provided by Microsoft which uses Microsoft Identity and a local DB (for Blazor WASM / Web API's) without the need for an oauth server. And the point you're making about Chris' code " I only started using Identity Server because Microsoft supported it with default templates, a whole lot of docs and even support on GitHub. In fact Identity Server was the only templated option for using Individual Accounts with Blazor WASM & Web API. I spent a lot of time learning and implementing Identity Server, so when Duende made their decision to change their licensing terms it came as a bit of shock to me. I didn't anticipate on that. But okay, it's their product and I understand their decision (for the most part) also. 'So what now', I thought. Well, I waited for 7 months for an answer from Microsoft but their 'this decision is final' doesn't offer me (and many other devs) any answers or solutions only more questions. And questions from me on their blog or here about this are being left unanswered (which is a first, thank you very much). So again, what to do now? Well, there's your OpenIddict which is a great project and I've the utmost respect for you developing and maintaining it. But what about the future? Maybe you'll choose the same path Duende has chosen, and I wouldn't blame you. Or maybe you just abandon it because maintaining such a big open source project just isn't any fun anymore with all the comments/questions you get and the lack of support (and answers to your questions) from Microsoft. And again, I wouldn't blame you. I don't need an OAuth Server/AAD/Okta for my projects, the code from Chris' blog post is more than enough for me, but it's from 2019. I tried to update it to ASP.NET 6 Preview 4/5 and made a GitHub repo of it. But now you say Chris shouldn't have used Duende's decision and Microsoft's decision to abandon supporting an oath server for individual accounts all together has also consequences in choosing other OSS libraries. If you can't trust Microsoft anymore to support a vital part of your project, who can you trust? So that's why I like Chris' solution so much. It leaves me independent of any decision anyone makes. For now and in the future. And to Microsoft pushing AAD here (and on Twitter and everywhere) again and again and not acknowledging other needs I want to say this: Will it be free forever? Can you promise me that? In writing? And what about my data. Is it really mine? FYI: It's a rhetorical question, I don't expect any answers anymore from Microsoft in this thread. Like I said, this thread is everything except fun. @manigandham Thank you for your comment, that's exactly what I meant. And you describe it far better than me. |
|
@jbogard So we are now in "post open source" world? So let's all move to paid solutions? Last I remember, and it seems like it was yesterday, is MS having mouth full of "open source is the future". What is the point of .NET Foundation, if not helping OSS projects that Microsoft see a benefit from? Actually, backing by .NET Foundation persuaded (and misguided) too many people to start relying on IdentityServer in production. So, basically, narrative has changed 180 degrees now. |
Like IdentityServer or OpenIddict, Chris' solution uses Microsoft's IdentityModel project to generate and validate JWT tokens: should this project disappear, he'd be left in an unsupported state like everyone else. You may think that such a critical stack couldn't be abandoned but sadly, you'd be wrong, as history proved that even something heavily used in MSFT's cloud solutions can be severely underfunded. Here's what I posted about IdentityModel in 2016:
(amusingly, that thread was almost immediately closed by @blowdart. I'm glad he's now less inclined to close important discussions so quickly 🤣 )
Regarding OpenIddict, I started working on it in 2015 and well, it's still here, free and open source 😄 At some point, it's sadly a risk you have to accept. And the less you contribute to and sponsor OSS projects your business depends on, the greater the risk is. |
Haven't thought about that! I can't imagine it will happen, but you're right because recently I've been 100% wrong about 'something' similar :) And seeing how Microsoft is pushing AAD here and now, it is something I should anticipate on. OMG, I think I'm having a little panic attack right now 😉 The difference with Crhis' code from his blog post with Identity Server and OpenIddict is it's all what I need and it is simple enough for me so I could maintain it myself with some help from others and available docs about Microsoft Identity, as long as it is supported, yes. In the next coming weeks I'll reserve some time to play with OpenIddict because you'll never know what can happen next and having more options sounds pretty smart to me right now. Thank you for your reply. |
|
The .NET Foundation exists to provide support and services to its member projects, grow the .NET developer userbase, and help ensure the health of the ecosystem. It does not control member projects. We provide things like CLA bots, code signing services, legal and other professional services, cloud hosting, and more. Microsoft does not control the .NET Foundation; its board does and the board is elected by the members. Our annual election is coming up and I welcome everyone to join as a member and vote. The Foundation is not a front for Azure or any other provider. Amazon AWS is also a sponsor and we regularly promote their .NET content. We want to see and promote the use of .NET everywhere. |
|
@clairernovotny Thank you putting it in very clear words. This is what I assumed from Microsoft's .NET Foundation announcements back in the day. I just want to emphasize "grow the .NET developer userbase, and help ensure the health of the ecosystem." and maybe add direct/indirect help funding projects. Nobody implied that Microsoft controls .NET Foundation, but - .NET Foundation can hardly create healthy .NET ecosystem, if .NET Core teams within Microsoft make decisions going against it. For example, topic of this thread - not recognizing a benefit of (real) OSS OpenID Connect solution implemented in .NET, even if with most basic level of features. Instead, we had arguments here like "Microsoft backed OpenID Connect server would ruin OSS", ".NET does not have proper OSS community", "software can only be supported if it's paid", "move everything to AAD", etc.... |
|
Microsoft SHOULD do the following:
|
|
Okay, as deep as I read and try to understand, I think we could close this discussion for IdentityServer being part or built-in on the .NET. We should respect Duende Software decision and whatever Microsoft decision as well. I also think @clairernovotny make a clear explanation on the .NET Foundation position and their members regarding OSS projects. Let's move on and keep supporting OSS. We are the one who use it, we learn from it, we contribute, we leverage from it, and we love it. So, let's support it and there is always an option. @blowdart: IMO, this discussion will go nowhere as both parties had made their decision firmly. Regarding .NET 7 OpenId Connect tooling initiative, I think we can have separate issue thread on the matter. Looks like interesting to discuss. |
|
To be frank, which obviously I'd prefer folks to use AAD, because I believe we provide a better experience for that, I'd be happy with any managed identity provider rather than you having a local database full of credentials, and the management and gdpr headaches that involves, be it okta, amazon, google or whomever. |
|
However, yes, I think this has run its course as an issue, so I'm closing it. The approach isn't going to change until .NET 7, and when we're planning for that a new issue on a test server and its features will appear for comment. |
|
My last comment here:
@blowdart We all do and I believe we all agreed. However, sometimes we just want to develop locally first using OpenId Connect. And we can do it on a beach without internet connection or just for simple Run. Otherwise, we might need internet connection just to test client credentials. I mean an IoT device must test and must register the web API, setting up configuration via portal, etc. It is a bit counter productive IMO. Here is my input for MicrosoftCould there be some kind of AAD emulator like Azure Storage or Cosmos DB emulator? If we can do this. All problem solved, at least for me. |
|
Funnily enough that's what I'm looking at providing. |
and others
In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.
Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.
For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.
For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.
The text was updated successfully, but these errors were encountered: