The Future of IdentityServer

Tl:dr https://blog.duendesoftware.com/posts/20201001_helloduende/

Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important changes to it. Here’s why we are doing this.

Our History
The very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx files with embedded code-behind. At the time, the project was considered a “WebSite Project” (Remember those?) and was hosted on CodePlex. Though StarterSTS was very simple, thanks to WIF, it was a pretty decent starting point for implementing WS-Federation and WS-Trust.

StarterSTS was the outcome of reimplementing token service solutions for a handful of customers and subsequently noticing a pattern in boilerplate and customer-specific usage. This was around 2009.

A lot has happened since then. I began working with Brock, whom I knew from teaching for DevelopMentor, and together we created IdentityServer1 and IdentityServer2. Both were ready-to-use web applications built with WebForms and then later MVC. Through it all, our basic idea never changed: give people a starting point for building a security token service. At one point, we attempted to make certain things configurable from the UI, but we quickly realized that IdentityServer’s real value was its customizability. Driving everything from a configuration UI just didn’t work.

Enter IdentityServer3. This is when we made the decision to become a framework. We realized that C# was the ultimate configuration DSL. At the same time, ASP.NET had become more modular (with Katana) and IdentityServer became a middleware/engine for implementing OpenID Connect and OAuth 2-based token services. We dumped WS-* and focused on modern identity and access control. This turned out to be a great decision.

At this point, it was apparent to us that OpenID Connect and OAuth were becoming the standard for building SSO and API access. It was also clear that none of the off-the-shelf products or SaaS solutions were flexible enough to fulfill many of our customers’ needs. This is still the case.

IdentityServer4 was a logical progression. Brock and I became better as a team, ASP.NET became better with ASP.NET Core, and IdentityServer became more useful and popular.

Today IdentityServer4 is used by thousands of companies and has achieved over 12 million total downloads on Nuget, and has become the de facto standard for .NET-based token services. In addition, it is used as the token plumbing for Microsoft’s Angular, React and Blazor templates for ASP.NET Core.

IdentityServer and Open Source
Open sourcing StarterSTS began as a way for me to provide code samples along with my blog posts. There was no Richard Stallman-esque philosophy behind it.

With the move to Github, the OSS vibe, community, pull requests, and collaboration began to develop, and it was fun. Still, our main goal was to promote our work, and that’s why we chose an enterprise-friendly license (first BSD, then Apache 2).

With IdentityServer becoming more popular, we were able to center all of our commercial work (e.g. consulting, training, build-outs) around our own framework. This was a dream come true, and we felt there was a good balance between open source “giving” and what we got back. But we also realized that maintaining IdentityServer and the community around it had become an additional full-time job. An unpaid full-time job at that.

It is well-known that the more popular an OSS project becomes, the harder it is to manage it. Some OSS project maintainers burn out, while others get offered jobs where they can continue to maintain the project (or not). Some manage to make the jump from a hobby project to a real business. This is where we are now—ready to make a jump.

In the beginning, Brock and I were self-funding IdentityServer solely through consulting and training jobs. When this didn’t work anymore, we looked for additional ways to fund the OSS work. First we chose sponsorship.

As Eran Hammer points out in his talk on open source sustainability, sponsorship turns out to be the least sustainable and least predictable way to support OSS. We experienced this first hand. This is how well (or poorly) sponsorship worked for us over a three year period:

  • Over the past three years: $60,000 in total from 75 monthly sponsors.
    • ~$53,000 came from 12 companies
    • ~$7,000 came from 63 individuals.

This breaks down to approximately $9,000 per year for each of us.

Ultimately, we had to agree with Hammer: sponsorship just wasn’t sustainable for us. Although we are very appreciative of our individual sponsors, we feel the companies that use and depend on our software should be the ones to sponsor it. Unfortunately, most companies are not setup for sponsoring open source.

Another option we explored was the “open core” model. Our partners Rock Solid Knowlege in Europe and Solliance in the US provided added value via add-on components and custom implementations. While this helps, it still does not cover the cost of running and maintaining the core project and code-base.

Our Future
After going as far as we could with self-funding and sponsorship, we needed to find a different way to operate. We asked ourselves what our goals should be going forward and developed a list of the top five:

  • Spend more time on the IdentityServer code-base to implement features and new protocols.
  • Create better documentation and samples.
  • Do a better job of supporting the people who use IdentityServer.
  • Give companies the assurances they need when they decide to base their core identity infrastructure on our code.
  • Implement a business continuity plan.

To reach these goals we decided to finally bite the bullet and start a real company.

The current version (IdentityServer4 v4.x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.

To continue our work, we have formed a new company Duende Software, and IdentityServer4 will be rebranded as Duende IdentityServer. Duende IdentityServer will contain all new feature work and will target .NET Core 3.1 and .NET 5 (and all versions beyond).

This new product will remain open source but will be offered with a dual license (RPL and commercial). The RPL (reciprocal public license) keeps Duende IdentityServer free if you are also doing free open source work. If you are using Duende IdentityServer in a commercial scenario, then a commercial license will be required. We offer a variety of ways to license Duende IdentityServer in an attempt to accommodate the different company sizes and usage models. Including an RPL license is important to us because it allows us to recognize and express our gratitude to the open source community and our contributors.

Our partner, Rock Solid Knowledge, will continue to offer commercial add-ons to Duende IdentityServer (e.g. AdminUI, SAML, FIDO2) as well as custom development and production support. In addition, Solliance remains our North American partner for consulting and custom development.

We feel that these changes will best serve the needs of both our open source community and our corporate community. In addition, they will allow us to make sure Duende IdentityServer will be a viable long-term solution for everyone.

Last but not least, we have great features in the pipeline and Duende IdentityServer will continue to be the most flexible, advanced and modern identity solution for .NET.

If you have questions and want to contact us, or just want more info you can visit us at https://duendesoftware.com. Also, there is a company blog and twitter account.

This entry was posted in IdentityServer. Bookmark the permalink.

62 Responses to The Future of IdentityServer

  1. Bass says:

    Being big fan of Identity Server, I would just take this opportunity to thank you guys for the amazing work. It is one of my top OSS repo (that’s why I registered to this blog)
    This is new path is totally understandable (even expected). Although I am sure some will just criticize.
    I will be more than happy to pay for the license whenever my clients ask for anything other than AAD (or other commercial IAM). :)
    I am also going to offer to help if you guys need hands with the OSS.
    Good luck to the Duende.
    What is the secret behind this Duende?
    Google says it is the Spanish Elf.

  2. Jeff M says:

    Where would non-commercial, but non-open source (i.e. a public school district) use fit in the new licensing scheme(s)?

  3. Andy Y. says:

    Congratulations Dominick! Best of luck to you and Brock in this new adventure for you. We’ve been using IS4 for several years now and are very happy with it. (We were one of your corporate sponsors.)

  4. Andy says:

    This is great news. Best of luck to you and Brock!

    Looking forward to seeing your product roadmap.

    Anything planned for multi tenancy?

  5. SIkebe says:

    Congratulations!

    What about other libraries, such as IdentityModel, oidc-client-js,…
    Will they have the same support policy and license as IdentityServer4, or remain as they are?

  6. Jeroen Vos says:

    We have been using IS3 for a couple of years now and finally got budget to rebuild using IS4… like I got that e-mail on October 1st… talk about coincidence. So how much will the Duende implementation differ from the current IS4. Can I just do the rebuild now with IS4, then get the other 12k budget sorted and easily switch to the Duende one?

  7. Luis Mesa says:

    Good for you guys. Wise decision. Love the name, btw

  8. Dejan J says:

    Congratulations on your move and best of luck in your future work!

    We are using IdentityServer 4 targeting .NET Framework 4.7.2 for a rather large project with 7-8 OIDC clients. There are mid-term plans to switch to the new .NET, but nothing immediate, as we can still fairly painlessly switch to 4.8 and still stay in the support lifecycle. We need .NET Framework support as all our libraries rely on it.

    Do you plan to support .NET Standard 2.0 with Duende IdentityServer?

    • Thanks!

      > Do you plan to support .NET Standard 2.0 with Duende IdentityServer?

      This is not possible anymore with newer versions of ASP.NET Core. You need to specifically target the same version(s) of .NET that ASP.NET Core is targeting.

      IOW – Duende IdentityServer will be targeting .NET Core 3.1 and .NET 5.x

      This is of course independent of the .NET versions that your clients or APIs are using.

  9. IT says:

    IdentityServer4 and you guys were expiration to me and i learned a lot in web security from you. I wish you the best of luck in the new direction and i hope you are going to continue share the juicy knowledge!

  10. Arun David Shelly says:

    Good, even though i feel sad you are leaving us behind. Good luck on your future endeavors.

  11. Seems fair to me, a monthly fee (effectively) for supported critical security infrastructure, not having support would be a huge risk.
    Smart move ;-)
    Best of luck with it.

  12. hirre says:

    Hi!

    Will IS4 work with future platform releases: .NET 5 & 6 & 7?

    • We are not specifically targeting any .NET platform after .NET Core 3.1 – it seems to work on .NET 5 (Microsoft is still shipping it in their .NET 5 templates).

      It’s very like that .NET 6 and beyond will have breaking changes.

  13. Just a friend of you says:

    Congratulations guys
    We believe that you not only must respect your community but also you must talk with them before any decision. Imagine one day many years ago Torvalds said, “I need money in my life, so you should pay money if you want to use My Linux !.” Could you tell us what happened!
    Pay Attention! If you couldn’t find any opportunities for yourself, It doesn’t mean your community responsible for your wage. After a long time, you couldn’t find any investor, and you couldn’t hire good developers and designers to extend your premium features the same as Auth0 or Okta, so you decided to steal things out of the community’s pocket. It’s not a faring way! We recommend returning to your last stage, changing your mindset, and reorganizing your business model.

    • Sorry – but I don’t agree with you.

      a) IdentityServer4 stays free (Apache 2 license)
      b) Duende IdentityServer is completely free for free open source (RPL license)

  14. Khalil Mohammad says:

    Congratulations guys. I loved working with IdentityServer.
    I work as a freelancer. If you could introduce better pricing structures for the small guys that be great.

  15. Steve says:

    we will switch to Azure AD B2C which is free for 50.000 users. Good bye IdentityServer…

  16. Steve says:

    You should keep in mind that there is Azure AD B2C for much lower costs.

    • Keep in mind that IdentityServer is a toolkit that gives you ultimate flexibility over your UI, your business logic and the data source you connect to. If you don’t need that flexibility and hosting your customer identities in a SaaS is fine for you. Yes by all means AAD B2C might be a better fit for you.

  17. Marko says:

    I have been using identity server 4 for a year now. Reading your github, stackoverflow and gitter comments I would say that both of you are honest, no BS, straight to the point people. I think that people in this chat thread aren’t as honest though… I don’t see why somebody would be excessively happy with the fact that something that was free (and frankly trusted upon us by MS templates) will now cost at least 1500$ annually (that is my monthly salary, not all developers live in the silicon valley).

    I understand that it is your knowledge, I understand that you can do whatever you with it, I understand that the worst possible outcome would be you abandoning this project in total, I’m just saying that currently you might be getting overly positive feedback on this, because average developers simply don’t care about their identity management (until it is not there anymore) and developers/admins who do care probably work with IDS4 in a daily job environment, so they are OK with spending company money on it. Let’s say I’m running two side projects, that’s 2 issuers, meaning $3000 or $12000 in fee’s which is not feasible at this moment.

    At the end I’m just a bit disappointed that MS bundled IDS4 into the templates in the first place, that I took if for granted and started tinkering with it only when I need to add the second client (at that point I was already “stuck” with it), and that apparently I don’t know how to charge for my services correctly. But I guess this is the way things are developing now, It simply won’t be possible to build anything for free and just give it a go bootstrapped without any VC (hopefully linux and postgres won’t be taking your route anytime soon, those might introduce some killer costs).

    There are two years of support left which is enough time to:
    a.) Find an alternative
    b.) Build side project into a business that will be able to afford $12.000 annually (hopefully we will get an phone number for support for that price).

    • Thanks for your comment. We processed some of the feedback and adjusted our licenses to include more clients. We are also offering 50% discounts for startups and non-profits. Maybe this helps?

      https://duendesoftware.com/products/identityserver#pricing

      • Marko says:

        Thank you for your reply. Honestly I will wait to see how MS will respond to your move. It is quite an impact on their proposed solution and with two years left hopefully they will fill the gap.

        What I will add as my opinion is that corporations and business that deal with sensitive data in regulated environments like vendors and 24/7 support (i.e https://www.nevis-security.com/en/products-and-services/identity-suite/). That was problem for adoption of IDS4 in my company when I tried to push it as a solution. There was nobody that our sys admin could give a call if something breaks. Duende is a big step in this direction (although with a stratup “ish” approach to sales) but it is also a big step away from hobby developer, that might try to push this solution.

        I’m just thinking out loud about MS approach to giving office free to students so they expect it on their PC once they move into the workforce where the company will pay for it because it has to. Also you might use postgres at home, and for student projects, but once you move to work environment you will need paid support for it, because management, security and contracts will demand it.

        Currently I think that duende is in the middle ground, not enough support for corp and too expensive for a hobby developer.

        I’ll add option c.) to my list above… become a vendor for Duende :)

        Again, I’m trying to give you some constructive feedback, no disrespect.

      • Marko says:

        To be honest, I forgot that you will still offer licence for open source projects. Sorry about that. Still most of my reply should be valid.

  18. Nenad says:

    I have feeling this is move in the wrong direction. Already wrote something similar on Github, but…

    Strength of IdentityServer 3 and 4 was that it’s open source, transparent and without unnecessary extras. Now it will go in the direction of adding business/enterprise features that most people using current versions do not need.

    Also, charging per number of clients won’t be feasible for small businesses. Because it was free and open source, we went in direction of splitting what could have been single-client (website) in multi-client architecture (multiple sub-domains of app). Now we will be punished for that. In addition client app with 50 users and client app with 1 million users will have the same cost. Also does not seem well thought.

    Not to mention that many of us went into it because it was backed by .NET Foundation – meaning free and open source.

    • > business/enterprise features
      Not sure what that would be?

      > charging per number of clients won’t be feasible
      IdentityServer is a OAuth framework – the metric is clients and scopes. Not users.

      > Because it was free and open source
      you probably should not make architecture decisions based on the fact that the software is free of charge

      I am sorry that you are not happy with the decision. We introduced discounts for startups
      https://duendesoftware.com/specialoffers

      If that still is not good enough, contact us directly
      https://duendesoftware.com/contact

      ..and let us know which price would make it sustainable for both of us.

      • Nenad says:

        > IdentityServer is a OAuth framework – the metric is clients and scopes. Not users.

        Isn’t IdentityServer also OpenID Connect framework, used to verify identity of end-user? It has Single-Sign-On infrastructure built-in? Maybe you can add 3rd metric – number of end-users for SSO and let customers pick best metric for their use-case?

        > you probably should not make architecture decisions based on the fact that the software is free of charge

        We all have to find best architectural solution within company’s budget constraints. Choosing between open source and vendor products, based on employees expertise and company budget. IdentityServer was not just free. It was open source, backed by .NET Foundation and Microsoft. So with that in mind, we made best architectural decision with information we had at the time.
        If I may use metaphor, this is like if RDBMS vendor suddenly deciding to charge per table and tells me, I shouldn’t have assumed table is free when designing system 5 years ago.

        I agree that you should get properly remunerated, I just think this was is not the best way to go about it. And arrival to this point was not transparent as well.

        We will wait a bit with any business decision about this, but we also appreciate you are willing to get in contact with customers directly.

  19. Adrian says:

    Great move but it may create a barrier for new users/clients to implement ID4+ in the future. I understand the fees are very important. I would suggest to check licensing used in https://www.syncfusion.com/. They give free license to small companies and charge corporates.

    I do not think we can afford paying licensing fees all the times. I had considered using ID4 but now I have to think what will be the consequences of not being able to pay fees monthly/yearly. I hope the licensing will be small and one time only and we can use it in our software.
    Thank you

  20. Christoph Braendle says:

    Best of luck to you and Brock for this new step and your great product!
    Pricing is fair and well thought.

    Thanks for contribute your knowledge all these years.
    Looking forward to see your product envolve further!

  21. Ben Hayat says:

    I’ve never agreed with working for free and/or giving away software, while others make money off of my work and keep demanding more for free…

    Worst part is that, once you give away something for free, it’s impossible to change course and ask for money. People freak out.

    I’m very glad you guys got to your senses early enough to before going bankrupt and had to get a job. Enough is enough… Now that you have a great reputation from giving free software, time to capitalize on that. I’m sure this is a wise and productive decision.

    Good luck guys and we shall meet again.
    ..Ben

  22. Christopher Adams says:

    I, for one, am very excited for the both of you. There is a lot of work that goes into maintaining and developing products. I think you guys are doing a great job and know it will continue in the future.

    I can’t say that I’m not a bit disappointed, however I do completely understand the financial aspects all to well. I was a consultant myself at one time and now work for a small company. We were looking for a robust and cost effective authentication solution to get an API proof of concept off the ground and into the hands of our beta testers. If it wasn’t for your work, I’m not sure that would have happened as smoothly as it did. Thank you so much!

    Looking over the pricing models it will be quite difficult to convince our clients to absorb the cost. This is more due to our limited usage and scope of our project, yet again I don’t blame you at all for the move. You indeed deserve to flourish in the rewards of your hard work. I am personally very grateful for all of the work put in and the time provided to adjust over the next two years. This is very generous and should give us just enough time to adjust pricing models and/or develop alternative solutions if necessary

    The best of luck to you and your future endeavors. Thank you again for such great work!

  23. irepository says:

    Congratulations on your journey and next steps!

    As an open source enthusiast, I would like to try using IdentityServer as there is a good amount of documentation around. Could you please point me to a link to start my learning and subsequently the implementation. I can’t seem to find proper path to the open source offering/version. Thanks.

  24. PelleWidell says:

    I thought Microsoft should backed this project up so it could still be open source for everyone, no big money for Microsoft and all their developers benefit from it…
    Haven’t you heard anything from them?

    That you need to earn your living is easy to understand!

    • Don’t worry – it will stay open source.

      • PelleWidell says:

        Well, I guess we cant be using skoruba add-on in the future?
        I heard lots of people indicating that for a small webshop/company even the starter packet is too expensive. As you wrote yourself, pricing your own product is hard, even impossible. I’ve been there several times.

        It will still be open source but all commericial companies needs to pay for the product, and most of developers work for commercial companies. Thats why I thought Microsoft should pay for this as it is in their interest…

      • Nothing prohibits the Skoruba add-on. We already had a conversation with him.

        Commercial companies need to pay. I think that is only fair. If the price does not work for them – they can contact us and we find a solution.

      • PelleWidell says:

        Yes, its absolutly fair, no doubt about that!
        Pricing is not a thing I think should be discussed here. :)

      • Nenad Vicentic says:

        If I may add two points to the conversation:
        1. Did you speak with Microsoft at all about the situation? You ignored that question few times already.
        2. Isn’t the fact that you are advising almost everybody here and on Github to contact you directly for the pricing – sign that you got price model for small business completely wrong?

      • You may.

        1. I did – and they will make an official statement about it at some point (as mentioned on various threads on github)
        2. I think “completely” is bit over-exaggerated. For most customers, the pricing is fine. For others we need to fine tune. It’s a process.

      • Nenad Vicentic says:

        Thanks for the answer.

        1. That’s what I suspected. Shame you could not come to common terms.
        2. Agree that “completely” is a bit exaggerated, but perhaps adding alternative pricing model could help.

        I appreciate this straightforward response.

      • PelleWidell says:

        I say like Nenad, I appreciate this straightforward answer too and its a pity that you couldn’t com to solution with Microsoft…

  25. PelleWidell says:

    I say like Nenad, I appreciate this straightforward answer too and its a pity that you couldn’t com to solution with Microsoft…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s