The Near Future of IdentityServer and Best Alternatives of IdentityServer4

IdentityServer is here to stay?

On October 1, 2020 Dominick Baier, one of the IdentityServer founders, published an article that confused the IT community. IdentityServer would rebrand and change their monetization policy starting November 2022.

And if initially, the goal of the project was to promote the product, now the priority has shifted. The IdentityServer team transformed the product from a hobby project to a real business. The reasons for such a solution were the following:

• The IdentityServer became too difficult to manage and support due to its increased popularity.
• The project doesn’t cover the cost of running and maintaining the core project and codebase.

So, what’s in store for software projects which rely heavily on IdentityServer? And what does it have to do with Duende Software?

What is IdentityServer?

An identity server is the control center of the IT infrastructure — it defines who connects to what IT resources within the organization. To clarify all things out imagine that all interaction scenarios between users and applications must be protected from unauthorized use. Such protection assumes Identity Management — the process of identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities.

IdentityServer (IS) is an open-source OpenID Connect and OAuth 2.0 framework for ASP.NET Core that’s especially favored in the dev community. Being officially certified, IS gives people a starting point for building a security token service. Due to the broad community support, IdentityServer4 examples are easy to find in GitHub. As for the latest IS’s version, IdentityServer4 (IS4) became the de facto standard for .NET-based token services, the implementation of IdentityServer4 in .NET Core 3 in practice. Now it serves as a central authentication server for thousands of apps that allows creating a robust authentication & authorization system within the projects. So, let’s move on to its most remarkable features.

Key features of IdentityServer4

IdentityServer4 provides the following features for applications:

1. Authentication as a Service. IS provides centralized login for all applications (web, native, mobile, services). IS is an officially certified implementation of OpenID Connect.
2. SSO. IS provides Single Sign-on/Sign-out over multiple application types.
3. Access control for APIs. IS issues access tokens for APIs for the following client types: server to server, web applications, SPAs, and native/mobile applications.
4. Federation Gateway. IS supports external identity providers like Azure Active Directory, Google, Facebook.
5. Customization. Since IdentityServer is a framework, not a boxed product or a SaaS, it can be customized. Users can write code to adapt the system to fit their scenarios.
6. Open Source. IdentityServer is open source, well documented, and supported by the extensive community.

What Has Changed in the IdentityServer4 Rights of Use?

If you are actively using IdentityServer4, this is the information of utmost importance. Starting November 2022, the service will undergo drastic changes such as:

• Rebranding. IdentityServer will be rebranded as Duende IdentityServer. IdentityServer4 support will last until the end of life of .NET Core 3.1 that means till November 2022. In that way, Duende provides new documentation for the fifth service version.
• Pricing. The officials said that IS4 remains free for free open-source work, development, and testing. For commercial scenarios, it will require annual payments. Plus, as a bonus, there is a 50% discount licensing for startups and non-profit organizations. For charities and small companies, the company offers a lucrative deal — a free plan.
• Licensing. Up to November 2022, IdentityServer will use the permissive Apache 2 license that allows building commercial products on top of it. Starting November 2022, IdentityServer remains open source, but works with a dual license: RPL and commercial.

RPL is a reciprocal public license. It keeps Duende IdentityServer free for free open source work.

A commercial license applies for all other use cases — provided that it is used in a commercial scenario.

Software. Duende IdentityServer will contain all the new feature work and will target .NET Core 3.1 and .NET 5. Everything in the IdentityModel organization will stay unchanged.

How Will It Affect the Server Users?

How can such a solution influence the end-users of the IdentityServer? Is there a real problem or it’s just a routine announcement for IS users? Let’s sort the whole thing out.

Cost increase. The first and obvious aspect of the new IdentityServer policy is a cost increase. For typical commercial scenarios, it will cost at least $1,500 per year.

As IdentityServer is an OAuth framework, the tariffication metric is clients but not users. The cheapest Starter edition allows for 5 clients without reference to the number of users. Each additional client will cost $300.

Architectural solutions. Per-client tariffication of the IdentityServer can force businesses to implement single-client applications instead of multi-client solutions. It can be critical for small businesses with limited resources. For the current users who have already implemented a multiple-client architecture (multiple sub-domains), there are no ways to reduce the cost — even if each client includes only one or several users.

For new applications, the developers will have to search for the best architectural solution — weighing all pros and cons of single-client websites and applications with multiple subdomains.

Support. Starting November 2022, no free support for IS4 will be provided. The commercial support can be overwhelming for a non-profit developer. As for commercial licenses, Duende provides Standard developer support in Starter and Business editions. Standard support includes public documentation, samples, and issue tracker.

And Duende provides Priority developer support in the Enterprise edition that starts from $12,000 annually. For that price, users will get public documentation, samples, issue tracker, and incident response SLA (Service Level Agreement). Hope that it will be reliable enough and will meet all the business needs.

Microsoft templates. Microsoft has bundled IdentityServer4 into the templates in the first place. So, using those templates for commercial purposes, you’ll have to pay for IdentityServer. As for now, there are no proposals or free plans from Microsoft related to Duende IdentityServer.

Available Solutions for Users

The forced changes associated with the growth of time and financial costs are uncomfortable for any business. If your application uses IdentityServer4, one way or another, you will have to choose a new operating scenario, starting November 2022.

Option 1. Continue using the “all-in” IdentityServer

If the business needs all the functionality of IS, including flexibility, unlimited number of clients, and support, it will cost $12,000 annually. Developers who do care about identity management and work with IS4 in a daily job environment, are OK with spending company money on it.

Pros:

1. Continue using the tool that ideally fits the product needs.
2. No need to spend time and money on searching for IdentityServer4 alternatives.
3. Getting all the Duende IS additional features:

• Unlimited clients.
• Unlimited issuers — any number of logical token services running in production at any number of unique URLs.
• Automatic key management.
• BFF (Backend for Frontend) hosting library.
• Dynamic authentication providers.
• Resource isolation.
• Priority developer support.

Cons:

If the business doesn’t need the Enterprise edition, it can choose one of the alternatives IS pricing. There’re starter and business editions of the following service having equally useful features, but with some restrictions.

Option 2. Use IdentityServer for free

Developers can continue using IS4 until November 2022 for free, supported by the IdentityServer team on Github. After that, they can keep using it, but without free bug fixes and security updates. In case of a critical problem, developers can fork IS4 and patch it themselves.

It may even happen that a client can still use Duende (IS successor) for free. In any case, it’s worth checking the conditions of the free licensing.

In the mentioned cases Duende IdentityServer is free, though with some limitations. Besides, following the original discussion, Dominick Baier emphasizes that they are ready for dialogue on each specific customer.

Read the full article on ModLogix

Originally published at https://modlogix.com on July 6, 2021.