Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important changes to it. Here’s why we are doing this.
The very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx files with embedded code-behind. At the time, the project was considered a “WebSite Project” (Remember those?) and was hosted on CodePlex. Though StarterSTS was very simple, thanks to WIF, it was a pretty decent starting point for implementing WS-Federation and WS-Trust.
StarterSTS was the outcome of reimplementing token service solutions for a handful of customers and subsequently noticing a pattern in boilerplate and customer-specific usage. This was around 2009.
A lot has happened since then. I began working with Brock, whom I knew from teaching for DevelopMentor, and together we created IdentityServer1 and IdentityServer2. Both were ready-to-use web applications built with WebForms and then later MVC. Through it all, our basic idea never changed: give people a starting point for building a security token service. At one point, we attempted to make certain things configurable from the UI, but we quickly realized that IdentityServer’s real value was its customizability. Driving everything from a configuration UI just didn’t work.
Enter IdentityServer3. This is when we made the decision to become a framework. We realized that C# was the ultimate configuration DSL. At the same time, ASP.NET had become more modular (with Katana) and IdentityServer became a middleware/engine for implementing OpenID Connect and OAuth 2-based token services. We dumped WS-* and focused on modern identity and access control. This turned out to be a great decision.
At this point, it was apparent to us that OpenID Connect and OAuth were becoming the standard for building SSO and API access. It was also clear that none of the off-the-shelf products or SaaS solutions were flexible enough to fulfill many of our customers’ needs. This is still the case.
IdentityServer4 was a logical progression. Brock and I became better as a team, ASP.NET became better with ASP.NET Core, and IdentityServer became more useful and popular.
Today IdentityServer4 is used by thousands of companies and has achieved over 12 million total downloads on Nuget, and has become the de facto standard for .NET-based token services. In addition, it is used as the token plumbing for Microsoft’s Angular, React and Blazor templates for ASP.NET Core.
IdentityServer and Open Source
Open sourcing StarterSTS began as a way for me to provide code samples along with my blog posts. There was no Richard Stallman-esque philosophy behind it.
With the move to Github, the OSS vibe, community, pull requests, and collaboration began to develop, and it was fun. Still, our main goal was to promote our work, and that’s why we chose an enterprise-friendly license (first BSD, then Apache 2).
With IdentityServer becoming more popular, we were able to center all of our commercial work (e.g. consulting, training, build-outs) around our own framework. This was a dream come true, and we felt there was a good balance between open source “giving” and what we got back. But we also realized that maintaining IdentityServer and the community around it had become an additional full-time job. An unpaid full-time job at that.
It is well-known that the more popular an OSS project becomes, the harder it is to manage it. Some OSS project maintainers burn out, while others get offered jobs where they can continue to maintain the project (or not). Some manage to make the jump from a hobby project to a real business. This is where we are now—ready to make a jump.
In the beginning, Brock and I were self-funding IdentityServer solely through consulting and training jobs. When this didn’t work anymore, we looked for additional ways to fund the OSS work. First we chose sponsorship.
As Eran Hammer points out in his talk on open source sustainability, sponsorship turns out to be the least sustainable and least predictable way to support OSS. We experienced this first hand. This is how well (or poorly) sponsorship worked for us over a three year period:
- Over the past three years: $60,000 in total from 75 monthly sponsors.
- ~$53,000 came from 12 companies
- ~$7,000 came from 63 individuals.
This breaks down to approximately $9,000 per year for each of us.
Ultimately, we had to agree with Hammer: sponsorship just wasn’t sustainable for us. Although we are very appreciative of our individual sponsors, we feel the companies that use and depend on our software should be the ones to sponsor it. Unfortunately, most companies are not setup for sponsoring open source.
Another option we explored was the “open core” model. Our partners Rock Solid Knowlege in Europe and Solliance in the US provided added value via add-on components and custom implementations. While this helps, it still does not cover the cost of running and maintaining the core project and code-base.
After going as far as we could with self-funding and sponsorship, we needed to find a different way to operate. We asked ourselves what our goals should be going forward and developed a list of the top five:
- Spend more time on the IdentityServer code-base to implement features and new protocols.
- Create better documentation and samples.
- Do a better job of supporting the people who use IdentityServer.
- Give companies the assurances they need when they decide to base their core identity infrastructure on our code.
- Implement a business continuity plan.
To reach these goals we decided to finally bite the bullet and start a real company.
The current version (IdentityServer4 v4.x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of .NET Core 3.1 in November 2022.
To continue our work, we have formed a new company Duende Software, and IdentityServer4 will be rebranded as Duende IdentityServer. Duende IdentityServer will contain all new feature work and will target .NET Core 3.1 and .NET 5 (and all versions beyond).
This new product will remain open source but will be offered with a dual license (RPL and commercial). The RPL (reciprocal public license) keeps Duende IdentityServer free if you are also doing free open source work. If you are using Duende IdentityServer in a commercial scenario, then a commercial license will be required. We offer a variety of ways to license Duende IdentityServer in an attempt to accommodate the different company sizes and usage models. Including an RPL license is important to us because it allows us to recognize and express our gratitude to the open source community and our contributors.
Our partner, Rock Solid Knowledge, will continue to offer commercial add-ons to Duende IdentityServer (e.g. AdminUI, SAML, FIDO2) as well as custom development and production support. In addition, Solliance remains our North American partner for consulting and custom development.
We feel that these changes will best serve the needs of both our open source community and our corporate community. In addition, they will allow us to make sure Duende IdentityServer will be a viable long-term solution for everyone.
Last but not least, we have great features in the pipeline and Duende IdentityServer will continue to be the most flexible, advanced and modern identity solution for .NET.