On October 1, 2020 Dominick Baier, one of the IdentityServer founders, published an article that confused the IT community. IdentityServer would rebrand and change their monetization policy starting November 2022.
And if initially the goal of the project was to promote the product, now the priority has shifted. The IdentityServer team transformed the product from a hobby project to a real business. The reasons for such a solution were the following:
- The IdentityServer became too difficult to manage and support due to its increased popularity.
- The project doesn’t cover the cost of running and maintaining the core project and codebase.
So, what’s in store for software projects which rely heavily on IdentityServer? And what does it have to do with Duende Software?
What is IdentityServer?
An identity server is the control center of the IT infrastructure – it defines who connects to what IT resources within the organization. To clarify all things out imagine that all interaction scenarios between users and applications must be protected from unauthorized use. Such protection assumes Identity Management – the process of identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities.
IdentityServer (IS) is an open-source OpenID Connect and OAuth 2.0 framework for ASP.NET Core that’s especially favored in the dev community. Being officially certified, IS gives people a starting point for building a security token service. Due to the broad community support, IdentityServer4 examples are easy to find in GitHub. As for the latest IS’s version, IdentityServer4 (IS4) became the de facto standard for .NET-based token services, the implementation of IdentityServer4 in .NET Core 3 in practice. Now it serves as a central identity server authentication repository for thousands of apps that allows creating a robust authentication & authorization system within the projects. So, let’s move on to its most remarkable features.
Key features of IdentityServer4
IdentityServer4 provides the following features for applications:
1. Authentication as a Service
IS provides centralized login for all applications (web, native, mobile, services). IS is an officially certified implementation of OpenID Connect.
IS provides Single Sign-on/Sign-out over multiple application types.
3. Access control for APIs
IS issues access tokens for APIs for the following client types: server to server, web applications, SPAs and native/mobile applications.
4. Federation Gateway
IS supports external identity providers like Azure Active Directory, Google, Facebook.
Since IdentityServer is a framework, not a boxed product or a SaaS, it can be customized. Users can write code to adapt the system to fit their scenarios.
6. Open Source
IdentityServer is open source, well documented, and supported by the extensive community.
What is Wrong with IdentityServer4: 3 Rights of Use Changes?
If you are actively using IdentityServer4, this is the information of utmost importance. Starting November 2022, the service will undergo drastic changes such as:
IdentityServer will be rebranded as Duende IdentityServer. IdentityServer4 support will last until the end of life of .NET Core 3.1 that means till November 2022. In that way, Duende server provides new documentation for the fifth service version.
The officials said that IS4 remains free for free open-source work, development, and testing. For commercial scenarios it will require annual payments. Plus, as a bonus, there is a 50% discount licensing for startups and non-profit organizations. The company offers a lucrative deal for charities and small companies – a free plan.
Up to November 2022, IdentityServer used the permissive Apache 2 license that allows building commercial products on top of it. Starting November 2022, IdentityServer remains open source, but works with a dual license: RPL and commercial.
- RPL is a reciprocal public IdentityServer4 license. It keeps Duende IdentityServer free for free open source work.
- Commercial license applies for all other use cases – provided that it is used in a commercial scenario.
- Software. A Duende IdentityServer vs IdentityServer4 comparison shows that the Duende IdentityServer will contain all new feature work and will target .NET Core 3.1 and .NET 5. Everything in the IdentityModel organization will stay unchanged.
.NET 5 offers exciting opportunities for every project. Learn how to migrate from .NET Framework to .NET Core here How to Convert .NET Framework to .NET Core: Migration Guide
Problems of IdentityServer’s End-Users
How can such a solution influence the end-users of the IdentityServer? Is there a real problem or it’s just a routine announcement for IS users? Let’s sort the whole thing out.
The first and obvious aspect of the new IdentityServer policy is cost increase. It will cost at least $1,500 per year for typical commercial scenarios.IdentityServer is an OAuth framework, so the tariffication metric is clients but not users. The cheapest Starter edition allows for 5 clients without reference to the number of users. Each additional client will cost $300.
And this is how much you overpay for the legacy software in your organization The Cost of Maintaining Legacy Systems: How Much You Overpay
Per-client tariffication of the IdentityServer can force businesses to implement single-client applications instead of multi-client solutions. It can be critical for small businesses with limited resources. For the current users who have already implemented a multiple-client architecture (multiple sub-domains), there are no ways to reduce the cost – even if each client includes only one or several users.
For new applications, the developers will have to search for the best architectural solution – weighing all pros and cons of single-client websites and applications with multiple subdomains.
Starting November 2022, no free support for IS4 will be provided. The commercial support can be overwhelming for a non-profit developer. As for commercial licenses, Duende provides Standard developer support in Starter and Business editions. Standard support includes public documentation, samples, and an issue tracker.
And Duende provides Priority developer support in the Enterprise edition that starts from $12,000 annually. Users will get public documentation, samples, issue tracker, and incident response SLA (Service Level Agreement) for that price. Hope that it will be reliable enough to meet all the business needs.
Microsoft has bundled IdentityServer4 into the templates in the first place. So, using those templates for commercial purposes, you’ll have to pay for IdentityServer. If you want to migrate IdentityServer4 to Duende, note that there are no proposals or free plans from Microsoft related to Duende IdentityServer.
IdentityServer is frequently used in .NET projects.
How to Migrate from .NET Framework 4.7 to .NET Core 3.2
IdentityServer is frequently used in .NET projects.VIEW CASE STUDY
Available Solutions for IdentityServer’s Users
The forced changes associated with the growth of time and financial costs are uncomfortable for any business. If your application uses IdentityServer4, one way or another, you will have to choose a new operating scenario, starting November 2022 or even now.
Option 1. Continue using the “all-in” IdentityServer
If the business needs all the functionality of IS, including flexibility, unlimited number of clients, and support, it will cost $12,000 annually. Developers who do care about identity management and work with IS4 in a daily job environment, are OK with spending company money on it.
- Continue using the tool that ideally fits the product needs.
- No need to spend time and money on searching for IdentityServer4 alternatives.
- Getting all the Duende IS additional features:
- Unlimited clients.
- Unlimited issuers – any number of logical token services running in production at any number of unique URLs.
- Automatic key management.
- BFF (Backend for Frontend) hosting library.
- Dynamic authentication providers.
- Resource isolation.
- Priority developer support.
- Cost: $12,000 annually.
If the business doesn’t need the Enterprise edition, which is more suitable for ERP upgrade, it can choose one of the alternatives IS pricing. There’re starter and business editions of the following service having equally useful features, but with some restrictions.
Option 2. Use IdentityServer for free
After November 2022, developers can keep using IS4, but without free bug fixes and security updates. In case of a critical problem, developers can fork IS4 and patch it themselves with the help of the IdentityServer team on Github.
It may even happen that a client can still use Duende (IS successor) for free. In any case, it’s worth checking the conditions of the free licensing.
Duende IdentityServer is free in the mentioned cases, though with some limitations. Besides, following the original discussion, Dominick Baier emphasizes that they are ready for dialogue with each specific customer.
Did you know that Docker Desktop won't be free for commercial users? Find out more. Top Docker Desktop Alternatives: Replacement Guide
Option 3. Don’t use IdentityServer: IdentityServer4 vs other equivalents
If the business doesn’t need all the IS features, the customer application has “easy” identity management scenarios, or the processes aren’t heavily dependent on IS4. Developers and businesses can choose alternative products from other vendors or develop their own one.
The IT community is still trying to figure out the best IdentityServer4 alternatives and get over the shock. But be as it may, there’re decent variants. One of the approaches is to distinguish library-type and product-type solutions for identity management.
By its origin and purpose, IdentityServer itself is a library-type solution. The library-type solution can fit most under the following conditions:
- You need free and open-source software.
- You need to manage all the data yourself due to regulations or privacy requirements.
- You need flexibility during the authentication flow, for example, a custom workflow for finding or merging user accounts.
- You have enough time, skills, and resources to run it yourself.
In contrast, a product-type is suitable for the clients that meet certain criteria:
- The price is not a determining factor.
- You need to save time and human resources on implementation and operation.
- The product contains just enough settings for your use case. The lack of flexibility is OK or at least not critical.
- The product gives even more out-of-the box features required for your project.
Let us take an in-depth look at the alternatives to IdentityServer, including the following services: OpenIddict, Keycloak, Azure Active Directory B2C, and other solutions.
OpenIddict vs IdentityServer4
One of the IdentityServer4 alternatives proposed by the IT community is OpenIddict. Like IdentityServer, it’s a .NET library-type solution that works with client authentication and token issuing, but not user authentication, and allows implementing custom login flows. OpenIddict operates under the Apache 2 license, uses OAuth and OpenID Connect protocols, and is supported by the GitHub community.
However, compared to IdentityServer, OpenIddict is even more “bare metal” with fewer features straight away. For instance, in OpenIddict, you must provide extra code for the token endpoint before you get a working client credential flow.
Keycloak vs IdentityServer4
Another IS alternative, Keycloak, is an open-source product-type solution. It operates under the Apache 2 license, but unlike IS and OpenIdDict, it is Java-based and has no such flexibility as libraries. For example, it doesn’t support custom grant types and custom login flows for users.
Unlike IdentityServer and OpenIddict, Keycloak is a ready-to-run product, so you can launch in minutes using Docker.
Microsoft Azure Active Directory B2C vs IdentityServer4
Azure Active Directory B2C can be a solution if there is no need for flexibility and you are hosting customer identities in a SaaS. It’s a Microsoft product running only in the Azure cloud. AAD B2C pricing is user-based, and is free for 50,000 monthly active users (MAUs).
Compared to IdentityServer, Azure AD B2C is a cloud-based identity and access management service with pre-built templates, offering scalable infrastructure and various functionalities, including user authentication and authorization.
These are some of the other best alternatives to IS:
Rippling is an integrated platform that simplifies and optimizes and automates a business’s human resources, payroll, and IT management. It also streamlines operations and enhances efficiency for businesses by providing a comprehensive solution for managing their workforce while ensuring the safety of applications from cyber threats.
Okta is a cloud-based platform designed to simplify and strengthen identity and access management for businesses. It provides comprehensive tools and functionalities to ensure secure user authentication, seamless single sign-on, and efficient user management.
JumpCloud is a cloud-based directory platform that provides a comprehensive IAM solution, allowing businesses to manage user identities, access controls, and device management from a centralized platform. It streamlines authentication processes, enhances security and compliance, and simplifies system management.
- Active Directory Federation Service
For on-premises, Microsoft has an ADFS (Active Directory Federation Service) alternative. ADFS is a solution for SSO and Internet authentication. It follows a process similar (but not equal) to OAuth, uses some open standards (HTTPS, SAML), but is Microsoft-specific and requires Internet Information Services (IIS), which only run on Windows servers.
Identify modernization and security improvements for your productLearn more
Consider ModLogix Your Trusted Partner
ModLogix is a software development and technology company that can also help with identity management strategies. Our exceptional value lies in our commitment to delivering innovative, personalized solutions for valued relationships and long-term partnerships.
In our years of extensive expertise, we have successfully executed multiple projects across diverse industries, including:
- Migrating a Webforms Platform to Microsoft Azure: The significant challenges with this project were database compatibility, system environment parameters, and unsupported parts. But after cloud migration and refactoring, our client had a secure and up-to-date platform optimized for today’s computing environment.
- Legacy System Integration with EMR: With the increasing flow of customers, our clients sought a solution to facilitate data exchange, optimize a patient verification process, and reduce the time and resources spent on data retrieving and processing. After the integration, we improved the security of sensitive data, transparency, accessibility, and cost-effective data extraction.
- Migration from ASP.NET MVC to .NET Core 3.1: With our client’s expansion, codes written five years ago started to show their limitations like slow report building or code issues. So, for this project, we improved security, accuracy, and performance and ensured HIPAA compliance.
By leveraging our expertise and solutions, organizations have experienced unparalleled security, improved operational efficiency, streamlined access management, and improved compliance adherence. Contact our dedicated team at ModLogix to collaborate with you to develop a personalized identity management strategy.
The organizations and their development teams must immediately pursue the new identity management strategy. There’s no time left to use IdentityServer for free; the changes are inevitable. If your software product doesn’t fit the new specifications, there may be severe loopholes.
Companies must prioritize the quality, security, and stability of the software, so schedule the time for reviewing the business strategy and re-evaluation of fundamental needs and resources.
If you feel unsure about choosing the most prominent alternative for IdentityServer, our experts will advise you on a reliable tool.