Announcement of plan to replace the IdentityServer

[hikalkan]

Background

What's the current situation

ABP uses IdentityServer4 to add OAuth server features as built-in in the server-side. We use it for;

• Single sign-on, OpenIdConnect (authorization code and hybrid flow) logins in tiered, Angular, Blazor, and Microservice solutions.
• Client-credential authentication for machine-to-machine communication (including inter-microservice REST API calls).
• Resource owner password authentication for the Angular UI (as an alternative option to authorization code flow).

All these functionalities are available both of ABP open-source and commercial. ABP Commercial adds a UI layer to manage IdentityServer4 resources as an additional feature.

What's new?

IdentityServer4's support ends at the end of the year 2022. Its replacement is Duende IdentityServer, which is not a free software anymore for those have more than 1M$ income (read more).

Problems

We have two problems here:

1. If we switch to Duende IDS, open source ABP will be paid in practical for those who have more than 1M$ income. Because, even basic login scenarios (for Angular UI, Blazor WASM UI and tiered MVC UI) are using authorization code or resource owner password flows. ASP.NET Core has not a usable built-in solution for these flows (See Microsoft's announcements on this topic: a post, a GitHub issue, another discussion).
2. We don't want ABP Commercial customers to pay extra money to Duende IDS, which has higher prices than ABP Commercial.

The Decision

So, we will completely drop the IDS from the ABP platform. We, probably will continue to ship IDS-related packages for a while, but, in the long term, you will need to replace it, because IDS support ends at the end of the year 2022.

Solution Proposal

Our solution will be like this:

• Implementing OpenIdDict and making it installed into the startup templates. OpenIdDict is a low-level library, which requires you to implement the flows and public APIs and UI yourself. So, we will implement all these as an ABP module. Our idea is to implement the basic scenarios as open-source and free, and advanced scenarios for the ABP Commercial. ABP's open-source users may implement these advanced scenarios themselves (if they don't want to buy an ABP Commercial license). ABP won't have any restriction on that. OpenIdDict is already open-source, free, and documented. It won't be harder than implementing these in a regular .NET project. In fact, it will be easier, since ABP will have the fundamental implementation, you can can continue yourself. But, ABP Commercial will provide pre-built solutions for the advanced scenarios that are mostly needed for enterprise systems.
• Providing a solution where you can use an External OAuth server (like Azure or Keycloack) instead of OpenIdDict or IDS. Actually, this is already possible now since IDS is a separate module and ABP Framework and pre-built modules are not directly dependent on it. The final application brings it all together, and it can choose to remove IDS dependencies and configure the solution to use an external auth server. There are some ABP users who already did it for their solutions, using Keycloack and other providers. This can be a good alternative to ABP's open-source users to use advanced auth flows. We will look for preparing some integration packages to some platforms and/or prepare guides/documents for they want to do it themselves. For ABP Commercial, we may provide some other pre-built integrations to platforms like Keycloack, Okta, etc.

We are trying to decide what are the advanced flows that are needed for enterprise solutions. We are trying to keep it balanced, so open-source startup templates can use the basic functionalities needed to log in users and obtain authentication tokens (to allow users to log in to the Angular and Blazor UI). The reason we want to make some advanced scenarios as commercial is that we will have a great effort to build, document and maintain all these. ABP Commercial is the only income channel for us, and we believe who develops enterprise systems and makes money can purchase an ABP Commercial license, and others can benefit from the basic implementation and spend their time to build the flow they need to.

The schedule

ABP 6.0 will be released at the end of this year (just after .NET 7.0). Our goal is to provide an alternative to current IDS integrated solutions and make it as default. Then we'll end support of IDS packages in the next year. To make the adaptation easier and have more time for it, our essential goal is to complete and publish this work before ABP 6.0-beta1, which will be released in August or September 2022. We will also try to create a detailed migration guide.

Conclusion

In this announcement, we wanted to be transparent to the ABP Community and share the current situation and decision with you.

We had made a huge investment on IdentityServer, spent months of development and research to understand its internals, make it support ABP features like multi-tenancy and impersonation, integrate to ABP, provide samples, document details, prepare training, and much more. Therefore, we regret throwing all this work away. But that's how the software industry is, and we're doing our best to keep our position as leading in this domain.

Thank you everyone for your understanding and support.

[albutta]

Any intention of using password less authentication

[hikalkan]

@albutta we haven't planned it as a reusable library. This article may help you: https://community.abp.io/posts/implementing-passwordless-authentication-with-asp.net-core-identity-c25l8koj

[leastprivilege]

Probably a wise decision.

I would recommend, that this time you financially support the FOSS you are incorporating into your commercial product.

Otherwise you might be in the same situation again at some point.

[hikalkan]

Thanks @leastprivilege for your thoughts on that. We are thinking about it. We are ready to support open source projects. We've done it for Blazorise before.

[dicksonkimeu]

Probably a wise decision.

I would recommend, that this time you financially support the FOSS you are incorporating into your commercial product.

Otherwise you might be in the same situation again at some point.

@leastprivilege thought you had some good news

[s4lvo]

#7221 (comment)

> Migrate to Duende IDS, which is a paid library for who have more than $1M revenue. If we do that, we will try to make a deal with Duende software to include their license into ABP Commercial license price. But, for open source, their licensing is still a problem. What do you think about that?

Could you try to find a solution together with @leastprivilege (Duende) to include a license in abp commercial and aspnetzero?

How do you plan to manage updates on all existing IDS-based projects?

[hikalkan]

@s4lvo we've made a video conference with Duende's founders, thanks to them for listening to us. We listened to each other and discussed the options. However, we couldn't make a deal since our licensing models and pricing are so different.

We will try to provide a guide for the migration, however these projects are not providing same set of features, remember that.

[beriniwlew]

If we start a new project that uses Identity Server 4, will there be an upgrade path to OpenIdDict?

[jrhopkins83]

We're very interested in @beriniwlew's question. We're likely to utilize the abp framework to implement a micro services based architecture. We don't want to get too far down the road with a security solution that's going to be throw away without a solid upgrade path.

[maliming]

hi @jrhopkins83

We do some work.

#12084

[balessi75]

Hi @hikalkan,

Are you aware of any current features in Abp Commercial that will no longer be available or work when Abp is implemented with OpenIdDict? Will existing applications (Blazor Server for us) using IDS 4, need to have code rewritten? If so, to what extent?

[maliming]

We are not removing IDS packages and will continue to release new versions of IDS related Nuget/NPM packages. That means you won't have an issue while upgrading to v6.0 (when it is released). We will continue to fix bugs in our packages for a while. ABP 7.0 will be based on .NET 7. If IDS continue to work with .NET 7, we will continue to ship nuget packages for our IDS integration.

BTW, IDS itself is canceling support for the open source IDS in the end of this year. They are moved to Duende IDS you know. We won't migrate to Duende IDS.

[hikalkan]

I am closing this issue since we've migrated to OpenIddict with 6.0. v6.0-RC.1 will be released in these days. Migration guide will come soon.

[thanhtai9606]

I hope, we have an identity with Keycloak soon. Thank you all :)!