Tl:dr https://blog.duendesoftware.com/posts/20201001_helloduende/
Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important changes to it. Here’s why we are doing this.
Our History
The very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx files with embedded code-behind. At the time, the project was considered a “WebSite Project” (Remember those?) and was hosted on CodePlex. Though StarterSTS was very simple, thanks to WIF, it was a pretty decent starting point for implementing WS-Federation and WS-Trust.
StarterSTS was the outcome of reimplementing token service solutions for a handful of customers and subsequently noticing a pattern in boilerplate and customer-specific usage. This was around 2009.
A lot has happened since then. I began working with Brock, whom I knew from teaching for DevelopMentor, and together we created IdentityServer1 and IdentityServer2. Both were ready-to-use web applications built with WebForms and then later MVC. Through it all, our basic idea never changed: give people a starting point for building a security token service. At one point, we attempted to make certain things configurable from the UI, but we quickly realized that IdentityServer’s real value was its customizability. Driving everything from a configuration UI just didn’t work.
Enter IdentityServer3. This is when we made the decision to become a framework. We realized that C# was the ultimate configuration DSL. At the same time, ASP.NET had become more modular (with Katana) and IdentityServer became a middleware/engine for implementing OpenID Connect and OAuth 2-based token services. We dumped WS-* and focused on modern identity and access control. This turned out to be a great decision.
At this point, it was apparent to us that OpenID Connect and OAuth were becoming the standard for building SSO and API access. It was also clear that none of the off-the-shelf products or SaaS solutions were flexible enough to fulfill many of our customers’ needs. This is still the case.
IdentityServer4 was a logical progression. Brock and I became better as a team, ASP.NET became better with ASP.NET Core, and IdentityServer became more useful and popular.
Today IdentityServer4 is used by thousands of companies and has achieved over 12 million total downloads on Nuget, and has become the de facto standard for .NET-based token services. In addition, it is used as the token plumbing for Microsoft’s Angular, React and Blazor templates for ASP.NET Core.
IdentityServer and Open Source
Open sourcing StarterSTS began as a way for me to provide code samples along with my blog posts. There was no Richard Stallman-esque philosophy behind it.
With the move to Github, the OSS vibe, community, pull requests, and collaboration began to develop, and it was fun. Still, our main goal was to promote our work, and that’s why we chose an enterprise-friendly license (first BSD, then Apache 2).
With IdentityServer becoming more popular, we were able to center all of our commercial work (e.g. consulting, training, build-outs) around our own framework. This was a dream come true, and we felt there was a good balance between open source “giving” and what we got back. But we also realized that maintaining IdentityServer and the community around it had become an additional full-time job. An unpaid full-time job at that.
It is well-known that the more popular an OSS project becomes, the harder it is to manage it. Some OSS project maintainers burn out, while others get offered jobs where they can continue to maintain the project (or not). Some manage to make the jump from a hobby project to a real business. This is where we are now—ready to make a jump.
In the beginning, Brock and I were self-funding IdentityServer solely through consulting and training jobs. When this didn’t work anymore, we looked for additional ways to fund the OSS work. First we chose sponsorship.
As Eran Hammer points out in his talk on open source sustainability, sponsorship turns out to be the least sustainable and least predictable way to support OSS. We experienced this first hand. This is how well (or poorly) sponsorship worked for us over a three year period:
- Over the past three years: $60,000 in total from 75 monthly sponsors.
- ~$53,000 came from 12 companies
- ~$7,000 came from 63 individuals.
This breaks down to approximately $9,000 per year for each of us.
Ultimately, we had to agree with Hammer: sponsorship just wasn’t sustainable for us. Although we are very appreciative of our individual sponsors, we feel the companies that use and depend on our software should be the ones to sponsor it. Unfortunately, most companies are not setup for sponsoring open source.
Another option we explored was the “open core” model. Our partners Rock Solid Knowlege in Europe and Solliance in the US provided added value via add-on components and custom implementations. While this helps, it still does not cover the cost of running and maintaining the core project and code-base.
Our Future
After going as far as we could with self-funding and sponsorship, we needed to find a different way to operate. We asked ourselves what our goals should be going forward and developed a list of the top five:
- Spend more time on the IdentityServer code-base to implement features and new protocols.
- Create better documentation and samples.
- Do a better job of supporting the people who use IdentityServer.
- Give companies the assurances they need when they decide to base their core identity infrastructure on our code.
- Implement a business continuity plan.
To reach these goals we decided to finally bite the bullet and start a real company.
The current version (IdentityServer4 v4.x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.
To continue our work, we have formed a new company Duende Software, and IdentityServer4 will be rebranded as Duende IdentityServer. Duende IdentityServer will contain all new feature work and will target .NET Core 3.1 and .NET 5 (and all versions beyond).
This new product will remain open source but will be offered with a dual license (RPL and commercial). The RPL (reciprocal public license) keeps Duende IdentityServer free if you are also doing free open source work. If you are using Duende IdentityServer in a commercial scenario, then a commercial license will be required. We offer a variety of ways to license Duende IdentityServer in an attempt to accommodate the different company sizes and usage models. Including an RPL license is important to us because it allows us to recognize and express our gratitude to the open source community and our contributors.
Our partner, Rock Solid Knowledge, will continue to offer commercial add-ons to Duende IdentityServer (e.g. AdminUI, SAML, FIDO2) as well as custom development and production support. In addition, Solliance remains our North American partner for consulting and custom development.
We feel that these changes will best serve the needs of both our open source community and our corporate community. In addition, they will allow us to make sure Duende IdentityServer will be a viable long-term solution for everyone.
Last but not least, we have great features in the pipeline and Duende IdentityServer will continue to be the most flexible, advanced and modern identity solution for .NET.
If you have questions and want to contact us, or just want more info you can visit us at https://duendesoftware.com. Also, there is a company blog and twitter account.
leastprivilege.com 
Being big fan of Identity Server, I would just take this opportunity to thank you guys for the amazing work. It is one of my top OSS repo (that’s why I registered to this blog)
This is new path is totally understandable (even expected). Although I am sure some will just criticize.
I will be more than happy to pay for the license whenever my clients ask for anything other than AAD (or other commercial IAM). :)
I am also going to offer to help if you guys need hands with the OSS.
Good luck to the Duende.
What is the secret behind this Duende?
Google says it is the Spanish Elf.
Thanks!
See here https://blog.duendesoftware.com/posts/20201001_helloduende/
Where would non-commercial, but non-open source (i.e. a public school district) use fit in the new licensing scheme(s)?
Use our contact form to get in touch. We can discuss.
Congratulations Dominick! Best of luck to you and Brock in this new adventure for you. We’ve been using IS4 for several years now and are very happy with it. (We were one of your corporate sponsors.)
thanks!
This is great news. Best of luck to you and Brock!
Looking forward to seeing your product roadmap.
Anything planned for multi tenancy?
Thanks! What exactly would you like to see wrt multi-tenancy?
Congratulations!
What about other libraries, such as IdentityModel, oidc-client-js,…
Will they have the same support policy and license as IdentityServer4, or remain as they are?
Everything in the IdentityModel organization will stay unchanged.
Thanks!
We have been using IS3 for a couple of years now and finally got budget to rebuild using IS4… like I got that e-mail on October 1st… talk about coincidence. So how much will the Duende implementation differ from the current IS4. Can I just do the rebuild now with IS4, then get the other 12k budget sorted and easily switch to the Duende one?
Hi,
the upgrade path from IdentityServer4 v4.x to the new Duende IdentityServer v5 will be seamless. The longer you wait, the bigger the gap will be of course.
If you want to discuss licensing rather sooner than later, please contact us
https://duendesoftware.com/contact
..or sign-up for the newsletter to stay up to date.
thanks!
Good for you guys. Wise decision. Love the name, btw
thanks!
Congratulations on your move and best of luck in your future work!
We are using IdentityServer 4 targeting .NET Framework 4.7.2 for a rather large project with 7-8 OIDC clients. There are mid-term plans to switch to the new .NET, but nothing immediate, as we can still fairly painlessly switch to 4.8 and still stay in the support lifecycle. We need .NET Framework support as all our libraries rely on it.
Do you plan to support .NET Standard 2.0 with Duende IdentityServer?
Thanks!
> Do you plan to support .NET Standard 2.0 with Duende IdentityServer?
This is not possible anymore with newer versions of ASP.NET Core. You need to specifically target the same version(s) of .NET that ASP.NET Core is targeting.
IOW – Duende IdentityServer will be targeting .NET Core 3.1 and .NET 5.x
This is of course independent of the .NET versions that your clients or APIs are using.
IdentityServer4 and you guys were expiration to me and i learned a lot in web security from you. I wish you the best of luck in the new direction and i hope you are going to continue share the juicy knowledge!
inspiration.. not exp…
thanks!
Good, even though i feel sad you are leaving us behind. Good luck on your future endeavors.
What exactly do you mean with “leaving us behind”?
I mean continuity of having a great open source product as free. But I do understand it is not fair for your efforts as big corporations should have roped you into their belt. Heartfelt thanks for giving this great product as free so far. Hope to have the same relationship with new product and looking forward to see the pricing. Best wishes Dominick.
Hey – well – we keep Duende IdentityServer free for FOSS. I think that’s absolutely in the spirit of open source.
and thanks!
Seems fair to me, a monthly fee (effectively) for supported critical security infrastructure, not having support would be a huge risk.
Smart move ;-)
Best of luck with it.
thanks!
Hi!
Will IS4 work with future platform releases: .NET 5 & 6 & 7?
We are not specifically targeting any .NET platform after .NET Core 3.1 – it seems to work on .NET 5 (Microsoft is still shipping it in their .NET 5 templates).
It’s very like that .NET 6 and beyond will have breaking changes.
Congratulations guys
We believe that you not only must respect your community but also you must talk with them before any decision. Imagine one day many years ago Torvalds said, “I need money in my life, so you should pay money if you want to use My Linux !.” Could you tell us what happened!
Pay Attention! If you couldn’t find any opportunities for yourself, It doesn’t mean your community responsible for your wage. After a long time, you couldn’t find any investor, and you couldn’t hire good developers and designers to extend your premium features the same as Auth0 or Okta, so you decided to steal things out of the community’s pocket. It’s not a faring way! We recommend returning to your last stage, changing your mindset, and reorganizing your business model.
Sorry – but I don’t agree with you.
a) IdentityServer4 stays free (Apache 2 license)
b) Duende IdentityServer is completely free for free open source (RPL license)
Congratulations guys. I loved working with IdentityServer.
I work as a freelancer. If you could introduce better pricing structures for the small guys that be great.
we will switch to Azure AD B2C which is free for 50.000 users. Good bye IdentityServer…
You should keep in mind that there is Azure AD B2C for much lower costs.
Keep in mind that IdentityServer is a toolkit that gives you ultimate flexibility over your UI, your business logic and the data source you connect to. If you don’t need that flexibility and hosting your customer identities in a SaaS is fine for you. Yes by all means AAD B2C might be a better fit for you.
I have been using identity server 4 for a year now. Reading your github, stackoverflow and gitter comments I would say that both of you are honest, no BS, straight to the point people. I think that people in this chat thread aren’t as honest though… I don’t see why somebody would be excessively happy with the fact that something that was free (and frankly trusted upon us by MS templates) will now cost at least 1500$ annually (that is my monthly salary, not all developers live in the silicon valley).
I understand that it is your knowledge, I understand that you can do whatever you with it, I understand that the worst possible outcome would be you abandoning this project in total, I’m just saying that currently you might be getting overly positive feedback on this, because average developers simply don’t care about their identity management (until it is not there anymore) and developers/admins who do care probably work with IDS4 in a daily job environment, so they are OK with spending company money on it. Let’s say I’m running two side projects, that’s 2 issuers, meaning $3000 or $12000 in fee’s which is not feasible at this moment.
At the end I’m just a bit disappointed that MS bundled IDS4 into the templates in the first place, that I took if for granted and started tinkering with it only when I need to add the second client (at that point I was already “stuck” with it), and that apparently I don’t know how to charge for my services correctly. But I guess this is the way things are developing now, It simply won’t be possible to build anything for free and just give it a go bootstrapped without any VC (hopefully linux and postgres won’t be taking your route anytime soon, those might introduce some killer costs).
There are two years of support left which is enough time to:
a.) Find an alternative
b.) Build side project into a business that will be able to afford $12.000 annually (hopefully we will get an phone number for support for that price).
Thanks for your comment. We processed some of the feedback and adjusted our licenses to include more clients. We are also offering 50% discounts for startups and non-profits. Maybe this helps?
https://duendesoftware.com/products/identityserver#pricing
Thank you for your reply. Honestly I will wait to see how MS will respond to your move. It is quite an impact on their proposed solution and with two years left hopefully they will fill the gap.
What I will add as my opinion is that corporations and business that deal with sensitive data in regulated environments like vendors and 24/7 support (i.e https://www.nevis-security.com/en/products-and-services/identity-suite/). That was problem for adoption of IDS4 in my company when I tried to push it as a solution. There was nobody that our sys admin could give a call if something breaks. Duende is a big step in this direction (although with a stratup “ish” approach to sales) but it is also a big step away from hobby developer, that might try to push this solution.
I’m just thinking out loud about MS approach to giving office free to students so they expect it on their PC once they move into the workforce where the company will pay for it because it has to. Also you might use postgres at home, and for student projects, but once you move to work environment you will need paid support for it, because management, security and contracts will demand it.
Currently I think that duende is in the middle ground, not enough support for corp and too expensive for a hobby developer.
I’ll add option c.) to my list above… become a vendor for Duende :)
Again, I’m trying to give you some constructive feedback, no disrespect.
To be honest, I forgot that you will still offer licence for open source projects. Sorry about that. Still most of my reply should be valid.
I have feeling this is move in the wrong direction. Already wrote something similar on Github, but…
Strength of IdentityServer 3 and 4 was that it’s open source, transparent and without unnecessary extras. Now it will go in the direction of adding business/enterprise features that most people using current versions do not need.
Also, charging per number of clients won’t be feasible for small businesses. Because it was free and open source, we went in direction of splitting what could have been single-client (website) in multi-client architecture (multiple sub-domains of app). Now we will be punished for that. In addition client app with 50 users and client app with 1 million users will have the same cost. Also does not seem well thought.
Not to mention that many of us went into it because it was backed by .NET Foundation – meaning free and open source.
> business/enterprise features
Not sure what that would be?
> charging per number of clients won’t be feasible
IdentityServer is a OAuth framework – the metric is clients and scopes. Not users.
> Because it was free and open source
you probably should not make architecture decisions based on the fact that the software is free of charge
I am sorry that you are not happy with the decision. We introduced discounts for startups
https://duendesoftware.com/specialoffers
If that still is not good enough, contact us directly
https://duendesoftware.com/contact
..and let us know which price would make it sustainable for both of us.
> IdentityServer is a OAuth framework – the metric is clients and scopes. Not users.
Isn’t IdentityServer also OpenID Connect framework, used to verify identity of end-user? It has Single-Sign-On infrastructure built-in? Maybe you can add 3rd metric – number of end-users for SSO and let customers pick best metric for their use-case?
> you probably should not make architecture decisions based on the fact that the software is free of charge
We all have to find best architectural solution within company’s budget constraints. Choosing between open source and vendor products, based on employees expertise and company budget. IdentityServer was not just free. It was open source, backed by .NET Foundation and Microsoft. So with that in mind, we made best architectural decision with information we had at the time.
If I may use metaphor, this is like if RDBMS vendor suddenly deciding to charge per table and tells me, I shouldn’t have assumed table is free when designing system 5 years ago.
I agree that you should get properly remunerated, I just think this was is not the best way to go about it. And arrival to this point was not transparent as well.
We will wait a bit with any business decision about this, but we also appreciate you are willing to get in contact with customers directly.
Great move but it may create a barrier for new users/clients to implement ID4+ in the future. I understand the fees are very important. I would suggest to check licensing used in https://www.syncfusion.com/. They give free license to small companies and charge corporates.
I do not think we can afford paying licensing fees all the times. I had considered using ID4 but now I have to think what will be the consequences of not being able to pay fees monthly/yearly. I hope the licensing will be small and one time only and we can use it in our software.
Thank you
The license fees are outline here
https://duendesoftware.com/products/identityserver#pricing
and discounts here:
https://duendesoftware.com/specialoffers
If you think you qualify for a startup/small business discount please let us know!
https://duendesoftware.com/contact
Best of luck to you and Brock for this new step and your great product!
Pricing is fair and well thought.
Thanks for contribute your knowledge all these years.
Looking forward to see your product envolve further!
Danke, Christoph!
I’ve never agreed with working for free and/or giving away software, while others make money off of my work and keep demanding more for free…
Worst part is that, once you give away something for free, it’s impossible to change course and ask for money. People freak out.
I’m very glad you guys got to your senses early enough to before going bankrupt and had to get a job. Enough is enough… Now that you have a great reputation from giving free software, time to capitalize on that. I’m sure this is a wise and productive decision.
Good luck guys and we shall meet again.
..Ben
Thanks!
I, for one, am very excited for the both of you. There is a lot of work that goes into maintaining and developing products. I think you guys are doing a great job and know it will continue in the future.
I can’t say that I’m not a bit disappointed, however I do completely understand the financial aspects all to well. I was a consultant myself at one time and now work for a small company. We were looking for a robust and cost effective authentication solution to get an API proof of concept off the ground and into the hands of our beta testers. If it wasn’t for your work, I’m not sure that would have happened as smoothly as it did. Thank you so much!
Looking over the pricing models it will be quite difficult to convince our clients to absorb the cost. This is more due to our limited usage and scope of our project, yet again I don’t blame you at all for the move. You indeed deserve to flourish in the rewards of your hard work. I am personally very grateful for all of the work put in and the time provided to adjust over the next two years. This is very generous and should give us just enough time to adjust pricing models and/or develop alternative solutions if necessary
The best of luck to you and your future endeavors. Thank you again for such great work!
Thanks!
Again – please contact us. If you want to continue using IdentityServer, let’s work something out, that works for both of us
https://duendesoftware.com/contact
Congratulations on your journey and next steps!
As an open source enthusiast, I would like to try using IdentityServer as there is a good amount of documentation around. Could you please point me to a link to start my learning and subsequently the implementation. I can’t seem to find proper path to the open source offering/version. Thanks.
https://identityserver4.readthedocs.io/en/latest/
I thought Microsoft should backed this project up so it could still be open source for everyone, no big money for Microsoft and all their developers benefit from it…
Haven’t you heard anything from them?
That you need to earn your living is easy to understand!
Don’t worry – it will stay open source.
Well, I guess we cant be using skoruba add-on in the future?
I heard lots of people indicating that for a small webshop/company even the starter packet is too expensive. As you wrote yourself, pricing your own product is hard, even impossible. I’ve been there several times.
It will still be open source but all commericial companies needs to pay for the product, and most of developers work for commercial companies. Thats why I thought Microsoft should pay for this as it is in their interest…
Nothing prohibits the Skoruba add-on. We already had a conversation with him.
Commercial companies need to pay. I think that is only fair. If the price does not work for them – they can contact us and we find a solution.
Yes, its absolutly fair, no doubt about that!
Pricing is not a thing I think should be discussed here. :)
If I may add two points to the conversation:
1. Did you speak with Microsoft at all about the situation? You ignored that question few times already.
2. Isn’t the fact that you are advising almost everybody here and on Github to contact you directly for the pricing – sign that you got price model for small business completely wrong?
You may.
1. I did – and they will make an official statement about it at some point (as mentioned on various threads on github)
2. I think “completely” is bit over-exaggerated. For most customers, the pricing is fine. For others we need to fine tune. It’s a process.
Thanks for the answer.
1. That’s what I suspected. Shame you could not come to common terms.
2. Agree that “completely” is a bit exaggerated, but perhaps adding alternative pricing model could help.
I appreciate this straightforward response.
I say like Nenad, I appreciate this straightforward answer too and its a pity that you couldn’t com to solution with Microsoft…
I say like Nenad, I appreciate this straightforward answer too and its a pity that you couldn’t com to solution with Microsoft…
I just wish to add my congratulations on your decision to take your IP to the next level. I have been using IdentityServer for years in multiple projects, and it plays a critical role in our self-sovereign identity solution in the World Computer Project initiative over at WorldComputer.org. The ability to customize every aspect of the product is its most important feature IMO and gives it its flexibility. Dominic and Brock have done an amazing job of balancing an out-of-the-box product that can be used as is with intelligent defaults, with an interface drive “library” that allows for endless customization in any way imaginable. That you waited this long to progress from the unsustainable 100% open source model is my only surprise. Good luck to the both of you, and thank-you for years of excellent support, documentation, and knowledge transfer, helping to make a complex yet vital technology approachable by mere developer mortals. You both deserve the success you will reap with your new company.
Thanks Rod! Looking forward working with you!
Inspiration from the policy of Microsoft AD B2C: could there be a free plan – with limited user accouts ( say no more than 5000 user accouts ) and no source code access? This plan could basically meet any side projects’ need so it will encourage hobby developers to stay with it .
We respect the owner’s decision regarding how to push this system forward. I just regret that the cost of $1500 will not be feasible for now – we are from less developed country so the exchange rate make annual fee even more impossible…
As you probably know, we are not involved in user authentication. But we might have some news soon, regardless.
This idea, to take into account number of users on the system was already suggested as a better way to charge customers. I am struggling to understand – what do you mean when you say “we are not involved in user authentication”? You do have a authentication process, login page, user-profile endpoint, etc?
$1500 / year is not a big cost. If you want something cheapier, you have alternatives and maybe you don’t need the power of IdentityServer. I used IdentityServer in several projects in the past, all of them completely capable of paying $1500 / year. What thing I miss from that price is that some stuff should be included for really think is a good opportunity. I would like to have in the same price:
– A 100% integration with ASP.NET Identity
– A professional and with good UX, UI
I think all of us are in bet with Dominick Baier and Brock Allen. Part of the success in my career comes from the learnings from them and the good software they created.
We could contribute better to the whole IdentityServer ecosystem, economically and creating more tools, and most of us, just took the benefit without given something in return, so they did the necessary step.
Apart of that, I believe that Microsoft must to buy IdentityServer and to hire the team. The same way they did with Xamarin ;)
Thanks Alberto. The ASP.NET Identity integration will come. It’s one of our top todo items for our docs and templates. But we need to ship v5 first…
Alberto, most of us “complaining” do not need 100% ASP.NET Identity, nor professional UX, UI. It’s only fair that those features are paid extra.
I do agree however, that Dominick and Brock built awesome project over the years and taught us a lot true online videos, support and documentation. Only that, as one of early users/advocates/contributors (oidc-client), I would prefer if there was some room left for open-source approach to the core project.
I think it is a logical development, as OpenId and OAuth2 are important part of a solution that IdentityServer helps the community to implement. And of what I can see the base pricing isn’t that expensive either for many of us, if it also gives us the services we need. Some thoughts though:
We are developing a web solution consisting of many micro-SPA-frontends (with backend services). The main reason for doing that is to have a good maintanability, where different teams having responibility for different parts of the code, and different parts of the solution is able to be released without interfering with other modules. For the end user, our solution should feel like they never have left our web. This is accomplished by combining the user experience, and it’s currently beeing partly held together with IdentityServer4.
My concern is that if the licensing model is encouraging us to develop a bigger front end monolith instead of a bunch of more loosely coupled micro-frontends i think that is a problem and it might directly affect the architecture of the solution negatively.
I have read your licensing model, and to my understanding it seems like every micro-frontend would be considered as a separate client. On the contrary, if for example several micro frontends grouped under one second level domin (and respective subdomains) are regarded as just one client the pricing wouldn’t affect the architecture of the solution in the same way.
Some background info about us is that we are a educational institution working with crowd sourced data, and also offers open data for the public so I guess we probably qualifies for some kind of special offer, but the main thing for my thoughts here is to understand your intention for the license model and in that case how it may affect the achitectural desicions we have made for our solution.
Very clear description of architectural problem this licensing model creates. Something I pointed out earlier, but did not describe this well.
I would like to add one more use cases:
We have old, monolithic WebForms application, which we started “slicing” and replacing modules with .NET Core micro-frontends over last 3 years, so far successfully. As a consequence – one of our “frontends” is literally one page (not SPA) that renders Word file report – but it’s registered as separate client application on sub-domain. As a side-note, Let’s Encrypt was 2nd part of the equation – free SSL certificates for our sub-domains, which enabled us to take this “micro-frontend” approach.
New licensing model pushes as back to the monolithic architecture approach of the past to save money and it caught the company half-way through website migration to newer technology. This is why I pointed out several times that licence per number of users seems architecture agnostic solution. And in fact, Microsoft uses similar licensing for the Azure Active Directory B2C service – number of monthly active users (MAU)
This is all good feedback. And I said numerous times before – contact us directly to discuss this “special” case. Because it is not the “common” case looking across all our customer architectures. I am sure we can come to a conclusion.
IdentityServer is a OAuth/OIDC framework. We are not involved in user authentication. This is outside of our APIs and also we don’t store those accounts (as opposed to the often mentioned B2C) – so licensing based on users in not an option (I also said that a couple of times before).
And Nenad – instead of commenting on every single response here (and ultimately always saying the same), maybe your company should start a discussion with us directly to sort out the issue once and for all (or not).
Dominick, we will contact you eventually when we are ready for the discussion. And as I said, I personally think the base pricing for the product is fair. As of a license model per user I understand your issue with it since your framework don’t handle it, and I’m personally not that keen on those kind of models either but thats more of the way I am.
As I said my main comment, I’m not against your selected model per se, but I think it’s an interesting topic to discuss. As you say our architecture with micro-frontends might not today be the most common case, but I think from an architectural standpoint it really should be more common whenever we’re taking about anything bigger than a small web site. All inte the name of a longlived maintainability.
I’ve seen that the front-end-frameworks is somewhere where the fastest development and changes appear. E.g. we don’t know if (or maybe in reality when…) Google decides to ditch the Angular framework we’re using for a new “super duper front end framework”, or there is some other new framework that is better suited for what we do. Much of my thoughts as an architect is how to handle things like this and try to plan how we – with our limited resources – can do the best out of the situation.
Anyway I think you already got my point a long time ago and I’ll not rant about it anymore… :-) For me it’s more of an interesting discussion about architecture and what affects the decisions I make daily. I don’t think your intensions with the license model is to hinder me in my endevours, just to get fairly compensated for the great work you’ve done and are doing with the IdentityServer framework.
thank you for your dedication
For some scenarios, there is an open source option: OpenIdDict
I’d like to say thank you both for all you’ve done and are doing!
Some thoughts anyway: you’ve offered too few pricing options. Up to me although it’s clear that the pricing could depend (only) on the company revenue (which might correlate with the number of clients), it would be more honest to take into account the value the company (or its individual employees) takes from and gives back to the project and community.
Let’s take ELK: today it’s free, even for cluster setup. They offer some extra features and support for fees, but for those who prefer to manage the system and handle the issues themselves, it’s still acceptable for free. And it’s a great promotion! Now let’s look at Identityserver: I see numbers of people just running the quickstarts or MS-templates with the predefined storages in their enterprises and getting the profit while the others are implementing their custom-everything, depending only on the Identityserver’s core. Although it might be quite hard to separate, that would be more forward looking to provide the core for free and apply the pricing for the “box” solution only. For the moment I see the clear candidates to become “advanced” such features as the storages implementations and keys rotation. Absolutely sure, you can find more. If you want to. Absolutely sure an advanced product with a free core costs much more in total than the other without such separation.
Thanks – I think we found a fair pricing model that works for many people – not everyone of course.
In case you missed it — we have a free version now for smaller companies and individuals
https://blog.duendesoftware.com/posts/20201210_community_edition/
Thank you for the answer! I do not think I missed anything. Currently I work for a let’s say middle-size company. We do not use all the leaf level features, implementing many of them ourselves, but we use the excellent core structure and protocol implementation. During the recent three years I never asked for support except I found a clear inappropriate behavior or unreasonable limitation, and I proposed a solution in that cases. Additionally I posted more than 100 useful answers on SO, sharing my knowledge, helping others to handle some edge cases, saving (I hope) your time for the real work : )
That’s why, although I can’t expect any exclusion based on the company size or my status (just a full time employee), I believe I could expect some privileges due to our collaboration. And I am sure, not only me, but tens of us, the guys from SO and github, not producing our own opensource, but still contributing or supporting the IS. Yeah, we did and do that for free, but as our companies pay us for the job, they pay for IS!
Hi,
> but we use the excellent core structure and protocol implementation
Thanks! And that’s exactly what we consider to be our core IP and value. Hence the move.
> I believe I could expect some privileges due to our collaboration
It’s a bit of a stretch to use the word “collaboration” here. What type of privileges do you have in mind?
That will be great for all the small guys like me.
Thanks for thinking of the small guys and small companies.
Medium and larger companies should pay their due share in supporting IdentityServer.
I’m sorry, can’t find a “reply” link under your recent answer.
I always thought “obtaining something, but giving something back” is exactly collaboration, symbiose in biology. I am not a lawyer, my understanding could be wrong. Anyway I hope we understood each other and if you feel you do not need to support the community, that’s up to you. I hope you plan to employ 2-3 dedicated developers doing the same, ten of us do in our spare time: supporting the users, explaining the protocol and behavior, looking for some workarounds, deeply testing, digging the sources, contributing.
My original suggestion was to introduce an “Identityserver’s Friend” status in addition to the “Open source product” one. I don’t think that would be more than 2 dozens licenses, almost the same as 2 mid-level FTE in USA.
Actually I don’t know. Probably you wouldn’t lose anything. Probably some clone would fill the free area in a year, repeating everything you achieved during recent five years. I only believe, supporting the community and getting strong support back make any product stronger. That’s how it is with Serilog, partially with ASP.Net itself — too special case to compare, that’s how it was with IS 3 and 4.
Regarding my own situation: I’m absolutely far from the management, but my feeling is that the price is reasonable for today. The only concern I see is reliability: your licensing plans are stricted to one year. When we buy ELK or Dynatrace or some hosting level for a year and do not like the higher price for the next, we just switch the plan or provider. But we can’t just switch our self-made identity provider. Per-year payed service is something usual, but one-year binary or code is not. And the common trend it to sell a service, not the binaries for rent.
Anyway I wish you to grow, move forward and do not lose the audience — Identityserver is the best for today in the area! Good luck, Merry Christmas and Happy New Year!
Hey,
thanks for getting back.
I am really confused what you are asking for. I don’t get it.
We are supporting the community by both providing a completely free FOSS license as well as a community license for smaller companies and individuals… What in addition would you like to see?
Feel free to continue this conversation via email if you prefer that.
I think its a clever move, hopefully you will get MS to take notice and step in & buying a share in your new company. Hopefully your new IS v5 and beyond will then be integrated directly into .net core as it is so good (and already has some deep integration). Good luck.
For me big part of the problem is that microsoft did not support the project enough because they want push their Azure AD stuff.
We love IdentityServer and included it in our latest .net core version of our platform. I also really believe in the “free as in beer” of the free software/open source. We use GPL to offer freedom to our customers. At the same time our business model somehow makes it to pay for what we do. But the future of Identity Server does not seem to offer something we could use as RPL is simply not compatible with GPL. A commercial license is also not compatible even if we would pay for it. Our customers need freedom and we need freedom, too. Is there anything that can be done here or do we need to look for a new solution? (Seems we are reimplementing auth mechanisms every few years – 1. asp.net Membership, 2. OWIN asp.net Identity, 3. Identity Server 4… sad to see that we will need just another one).
Hi,
Thanks for your comment!
You seem to be an ISV – we have licenses for re-distributing IdentityServer. They are not on the website right now – but will be on Thursday for the 5.0 release.
In the meantime feel free to contact us directly.
https://duendesoftware.com/contact
We are an ISV but as I wrote, our software is strictly GPL licensed. So any kind of a commercial licensing is not an option for us.
Hi Guys
Thanks for all the awesome free code up until now :) given that the general consumer of this product has the budget and probably should be paying for it I think this move is fair.
All I ask is please use this new revenue stream to improve on the upgrade process. I don’t remember the version numbers but i do remember it was an upgrade within the IdentityServer4 => IdentityServer4 path (so you would hope it would be easy) we were using the quick start template with a few modifications, but once this update came out it was easier to throw out all our changes and start from scratch then to migrate to the new version because of all of the massive changes to the public API. An example of how public APIs can be be kept future proof would be React, super easy to keep up to date and any massive changes in the public API normally run in parallel with the old API as people migrate slowly. Oh and react code mods are also awesome.
I’m writing this on the train after a long days work so there’s a chance this is a bad to read post. If so, sorry and ide happy have a call or email with you to give you a run down of what I meant.
Thanks for the free code up till now, I’ve already started sowing the seeds in my manager to make time and budget to migrate to the paid.
I feel tricked into using IS. It is unfair that IS was promoted as free, open source product, even by MS, to change to this new model. Sorry guys, you had a great open source product that any average commercially minded person would be able to monetise through support and custom work charges and you guys couldn’t do that (I can’t beleive that you were expecting to suceed with donaitions only). That tells me that your current commercial move is not going to have much success. Pity a good product like IS will suffer. Get yourself an adviser, you do development, you shine in that field. I post this in good faith, I wish you all the best.
Good luck, I hope it works out for you.
Unfortunately we too are now looking at alternatives such as Azure B2C as the licensing costs seem prohibitive for anyone other than large organisations, a number of our customers just don’t have a spare $12k pa to throw at identity server as a solution.
Thanks!
Are you really sure that all these customers need the Enterprise Edition? Feel free to contact us to discuss.
https://duendesoftware.com/contact
Hi Guys, even when this is sad news for many of us, you only deserve our respect and admiration for all the help, knowledge, time, effort, etc you have been sharing with the community for many years. I wish you the best in your new path.
Hi Emilio! Thank you very much!
I fail to see why this is sad news, though?!
It is sad news because now – for many of us – it is not in our hands to keep using ID4 or not, we can push and push, but sometimes reality dictates another path. In my case, I work for a company with two different operational scenarios. In the first one, let’s call it “onshore\enterprise” – we only require one instance of IdSrv4, not many clients, and with some level of integration with Azure AD. In the second scenario, let’s call it “onboard”, we have only one instance of IdSrv4 too, less than 10 clients, not integrated with Azure AD, but this scenario is replicated across hundreds of vessels at sea. It is not clear to me how the pricing models can apply here. It could happen the same as it happened to us with MS SqlServer, we had to adopt SQL Server Express with all its limitations because there was no reasonable option available for us in terms of prices. The bottom line here is that I think the company cannot afford the licensing of the product on every vessel per annum. Anyways I going to escalate my concerns in the company and see what happens.
Hey.
OK – “sad” sounds like something very personal – but what you are describing is “just” some potential business decision of your employer.
Your company should talk to us – and maybe we have a license that works for them.
You personally can of course continue to use IdentityServer free of charge for personal use – or as part of our community edition.
So glad to read that you are continuing to offer an open source option. I’ve learned so much from reading the Identity Server code. I’ve also learned so much from watching your conference presentations, over the years.
My employer has no process for donating to OSS projects. But licenses… We can do that. You guys deserve to get paid decently for the great work you do. The software and support licenses finally gives guys, like me, a way direct some financial support to such a great project.
Thanks, Frank!