Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASP.NET Core 6 and Authentication Servers Discussion #32494

Closed
blowdart opened this issue May 7, 2021 · 187 comments
Closed

ASP.NET Core 6 and Authentication Servers Discussion #32494

blowdart opened this issue May 7, 2021 · 187 comments
Assignees
Labels
Milestone

Comments

@blowdart
Copy link
Contributor

blowdart commented May 7, 2021

In .NET 3.0 we began shipping IdentityServer4 as part of our template to support the issuing of JWT tokens for SPA and Blazor applications. Sometime after we shipped, the IdentityServer team made an announcement changing the license for future versions of IdentityServer to a reciprocal public license – a license where the code is still open source but if used for commercial purposes then a paid license must be bought. This type of approach is common in the open-source world, where sustaining an income is difficult as your project becomes your full-time work.

Two of the reasons behind the choice to ship IdentityServer was the community’s well-expressed desire that we did not compete with an established open-source project and IdentityServer’s deep knowledge of the identity space. The .NET team are not OAuth and OIDC experts as we focus on providing building blocks for your application and a starting point from which you can be successful. Creating and sustaining an authentication server is a full-time endeavor, and Microsoft already has a team and a product in that area, Azure Active Directory, which allows 500,000 objects for free. The ASP.NET team feels a managed cloud solution remains the best practical option for developers – the security is managed, you don’t store credentials locally with the risks that presents, and new features like passwordless authentication appear seamlessly in your authentication workflow. However, we also realize that a cloud solution can be impossible for some customers due to regulatory or data sovereignty concerns.

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version. We continue to think this is the most mature option for creating self-deployed, locally hosted token service with ASP.NET Core. We will make the licensing requirement clear if you are using a template that includes Duende IdentityServer. The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year. The license requires a fee to be used in used in a commercial setting if the entity or organization makes more than 1M USD/year. The previous version of IdentityServer will continue to be supported for as long as .NET 5 is supported, until around February 2022.

For .NET 7 we will investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet. You will always be free to choose whatever identity system is best for you in production by updating a few lines of code when you’re ready to go live. We’re committed to giving you options for production identity systems now and going forward.

@blowdart blowdart added this to the Discussions milestone May 7, 2021
@blowdart blowdart self-assigned this May 7, 2021
@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

Linking to previous issues

#32109
#30577
#26489

@Pilchie
Copy link
Member

Pilchie commented May 7, 2021

👀

@runxc1
Copy link

runxc1 commented May 7, 2021

Ugh, Being one of the many that opted to use Identity Server due to its Open Source nature, it just really feels like a bait and switch especially since the project was included in official templates and used in the official .Net Core documentation. Really wishing I hadn't opted to use it.

@DavidZidar
Copy link

and free for use in commercial settings if the entity or organization makes less than 1 million USD/year

Is this true? The wording in their license makes it seem it's only free for one year.

@IvanJosipovic
Copy link

IvanJosipovic commented May 7, 2021

I'm moving my ASP.NET Identity projects to use https://github.com/openiddict/openiddict-core
I'm not a fan of the default project templates using components that have a paid license. The announcement by the IdentityServer team was done in October 2020, I think MS had enough time to replace it by the .NET 6 release.

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

@DavidZidar they had seen and approved the wording so I presume it's correct.

Clarity could come from @leastprivilege

@PeteX
Copy link

PeteX commented May 7, 2021

Is it not possible for Microsoft to provide some continuity for those of us who used the IdentityServer samples in good faith?

I can understand where the developers are coming from, as I've been in the same position myself. You can find yourself doing a lot of unpaid work maintaining a code base, and it doesn't lead to enough consulting revenue to justify it. At the same time, it seems unfortunate to say the least that people who relied on the ASP.NET samples are now in the position of having to pay a third party for a licence. (That is, once the current edition of IdentityServer becomes EOL.)

All that is really needed in my opinion is for any security issues with the IdentityServer4 series to be addressed, and for it it be ported to future releases of .NET. It's fair enough that if you want new functionality, you might have to use a different package with different licensing terms. I can't imagine that it would be a huge expense for Microsoft to take on the maintenance role for IdentityServer4, and perhaps they could even pay the current developers to do so?

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

As stated we are not authentication experts, we have no expertise in writing or maintaining an authentication server. We have a team at Microsoft dedicated to that, and they produce AAD. The .NET team will not be writing production ready authentication servers, both because of the cost in that and because in doing so it's likely we'll cannibalize users from existing open source projects, something the community was very vocal in wanting us not to do when the initial discussions around IdentityServer inclusion was started.

We explored options around IS4 with no outcome we felt comfortable with.

Templates are meant as a starting point for you to go forward from, and that going forward should include reviewing what authentication options are safest, and best value for you.

@brockallen
Copy link

Is this true? The wording in their license makes it seem it's only free for one year.

If your company or organization makes less than 1M USD per year then it's free.

https://duendesoftware.com/specialoffers

@schmitch
Copy link

schmitch commented May 7, 2021

I also think it would be better to:

a. remove the sample
b. use openiddict.

nothing against duende, but if they are paid they can also create a easy to use template by themself, no reason to put effort into maintaining it.

@DavidZidar
Copy link

@brockallen Thank you for the clarification. Your license is using the wording "for one year" and it is not explained further which is confusing.

@jbogard
Copy link
Contributor

jbogard commented May 7, 2021

Ugh, Being one of the many that opted to use Identity Server due to its Open Source nature, it just really feels like a bait and switch especially since the project was included in official templates and used in the official .Net Core documentation. Really wishing I hadn't opted to use it.

I think you're conflating "Open Source" with "free". I have several quite popular OSS projects, and I do next to zero work on these for free. If one of my projects dies, it's because no one wants to pay for me to maintain it. I suppose that's a form of bait and switch, but I'm not doing free work for people. If you want these OSS projects to survive/thrive, I suggest you find a way for your place of employment to support these projects financially.

@nulltoken
Copy link
Contributor

For .NET 7 we investigate if we can build tooling to allow development and testing of OIDC (OpenID Connect) enabled applications when disconnected from the internet.

I've been searching for a long time for a lightweight .NET solution providing this kind of service. In Nodejs land, I'm relying on oauth2-mock-server which is pretty interesting from an automated test standpoint, especially in the way it allows to dynamically tweak the auth server behavior.

@blowdart Is there an issue tracking this OIDC dev/test tooling investigation to which I could subscribe to?

@brockallen
Copy link

@brockallen Thank you for the clarification. Your license is using the wording "for one year" and it is not explained further which is confusing.

Sure, then you renew the license and if you're still under 1M/year you can still use it for free. Hope that helps.

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

@nulltoken Not yet, planning for 7 hasn;t even started :)

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

@schmitch I'm afraid the decision is made. We are sticking with IdentityServer. We won't be removing samples, or switching to OpenIddict. Of course the community is free to make its own templates around OpenIddict if you don't like what they provide.

@OrihuelaConde
Copy link

OrihuelaConde commented May 7, 2021

Community Edition
For small companies or individuals with less than $1M USD in annual revenue, free for fewer than 5 clients.

We are a small company from Argentina, the limit of $1M USD is fine, but "5 clients" 😞
For our own projects we are using Auth0, its free offer suits our needs, but we have small customers that can't afford the costs.

@GeraudFabien
Copy link

GeraudFabien commented May 7, 2021

For .NET 6 we will continue to ship IdentityServer in our templates, using the new RPL licensed version

If you want but you must warn the user that to use it in production it will need to pay 1500 usd by year. I assume default template cannot contain paying solution. And i'm pretty sure i'm far from being alone.

The .NET team will not be writing production ready authentication servers, both because of the cost in that and because in doing so it's likely we'll cannibalize users from existing open source projects

we'll cannibalize users from existing open source projects

What are the other existing Open Source projects you fear to canibalize. I fear i know none.
The only solution i found are :

we are not authentication experts, we have no expertise in writing or maintaining an authentication server.

And i agree with you on the fact it's a project quite complex since it need to have specific expert to maintained. That why they can make you pay 1500 + 300 * UserCount usd by year. Because they no there will not be any other solution for those who been bait.

What i found funny is that for Json serializer you hire the Author. So there is a solution...
As for money you have ReactUI model that seems to work for years.

I think you're conflating "Open Source" with "free".

Maybe but i remember when i start programing before dotnet core before DNX back in 2010 i read a post about .Net framework being openSource just because there where a few file on a web site. Well the community did not consider .Net framework open Source and i still don't. It's free there some file publish. But it's not open source if you are not really open source.
So why would i consider Duende Open Source since there is part that are close source and can bring me harm. And i'm not able to fork the project if some thinks happened to the main project... Some thinks has happen an OSS project now to the community to find a way to fork and maintain what remain.

I have several quite popular OSS projects, and I do next to zero work on these for free. If one of my projects dies, it's because no one wants to pay for me to maintain it. I suppose that's a form of bait and switch, but I'm not doing free work for people.

Yes and there is several solution to get payed. ReactUI lived for years. And even if they are coupled with MS as i understand they are not financed by it. And use a lot of way to be financed.
There also way to do thinks. There is a huge gap between Free and 12000 usd by year. 1500 by year alone is more than VS and azure/AWS and CI budget on most team i know (Small project but it's also the minimum price).

I'm afraid the decision is made.

Sorry i thougth this issue was intended to discuss a subject. Are you saying we are not allow to talk. I understand the decision was made but the point of us (At least for me) to respond is to make sure you understand that we do not take the fact lightly and it's a really important lost and we hoped to find a solution together. Personnaly i don't ask for you to make an identity server from scratch or even to support it alone. But there is other solution like :

  • a partenaria with keycloak (I never used keycloak but from what i see it's the only OSS solution supported now).
  • Or make the project has a side project with a way to earn enougth to pay for the maintenance....
  • Document to help us implement a solution for small project (project where 1500 usd is actually too much)

One of the reason why .Net framework was not consider Open source was not only because there were not all the file. But also because you cannot discuss to find other solution. To me communication is the point of open source.

Sorry it was a bit long response.

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

@GeraudFabien When I say the decision is made I mean you are free to discuss it, but discussion will not change the decision. Microsoft has an identity solution in AAD, which is free for up to 500,000 objects, and that's where the specialists are. We in .NET provide frameworks for you to build solutions on.

The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.

IdentityServer gives an f5 runnable scenario which is something the community tells us is important. The licensing for commercial use hopefully makes it a sustainable open-source project too.

@schmitch
Copy link

schmitch commented May 7, 2021

The licensing for commercial use hopefully makes it a sustainable open-source project too.

it isn't open source.

IdentityServer gives an f5 runnable scenario which is something the community tells us is important

openiddict, is too.

The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.

yes, but you should also not promote the one which is not open source (especially if there are two)

When I say the decision is made I mean you are free to discuss it, but discussion will not change the decision

uf that is a clear stance, on something so simple as a template, which can easily transfered to duende and they can easily provide a simple way to install them, like dotvvm does (also commerical, at least some parts).

@GeraudFabien
Copy link

The community also told us loud and clear we shouldn't write our own because it would crush open source projects, and so we didn't.

As i say that not what i ask. I just ask for a solution and a documentation for smaller project that can't use this solution. Awesome dotnet doesn't have other solution. So what solution is there to have a server.

And that also why the fact to use it on the template is also a bad idea since the template is also use has base for small project.

@schmitch isn't openiddict only a client? From my souvenir it didn't do server.

@blowdart
Copy link
Contributor Author

blowdart commented May 7, 2021

RPL licensed code is accepted as an open source license.

Of course, the community is also free to fork IdentityServer4 and continue to patch it, but we wouldn't switch to magically.

As for moving a template to Duende, sure, that's possible, but then you end up with no spa authentication templates, or webapi authentication templates at all, as, like I said, we're not using another server, so your solution would mean no templates until you take a guesture, which makes it hard to discover.

@schmitch
Copy link

schmitch commented May 7, 2021

RPL licensed code is accepted as an open source license.

@blowdart

their licens is not the RPL. their license is:

If you wish to evaluate or use the Duende™ software libraries in a Non-Commercial Manner*, you may download and access the source and/or binaries at no charge under the Reciprocal Public License 1.5 (RPL-1.5)(the “RPL”);

https://opensource.org/osd

  1. No Discrimination Against Persons or Groups
    The license must not discriminate against any person or group of persons.
  2. No Discrimination Against Fields of Endeavor
    The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

@GeraudFabien it's a server, a client would be identitymodel

@nenadvicentic
Copy link

@nenadvicentic that's a rather meta question that doesn't fit into a product issue. Perhaps @clairernovotny has a better venue to ask it in?

@blowdart : we're discussing potential ways-out of this situation. So, I'm trying to estimate how feasible and realistic is option of simply continuing to support IdentityServer4, if new maintainers are found. No?

@blowdart
Copy link
Contributor Author

blowdart commented Jul 7, 2021

That's still a community question rather than an aspnet one. The .net has no interest in forking or maintaining IdentitySever.

@jbogard
Copy link
Contributor

jbogard commented Jul 7, 2021

"Simply"

Browser security standards change and evolve constantly as do the client/server protocols. There is nothing simple about any of that. This isn't updating target frameworks every year or so on your spare time, it's several full-time jobs, as has been proven.

@nenadvicentic
Copy link

@blowdart, @jbogard - Wasn't Microsoft and .NET Foundation backing enough for several full-time jobs? Or can it be enough going forward? MS indirectly profited from IdentityServer4 as well. So?

@blowdart
Copy link
Contributor Author

blowdart commented Jul 7, 2021

Duende made their decision. Microsoft respects it and as I've said we already have a product in AAD which we believe offers a safer experience than having an app hold its own credentials.

If the community wants to fork identity server they are free to do so, but Microsoft will not do it as, like we stated, we'll be looking at removing any local production focussed oauth service from all templates.

Again the community can, of course, produce community templates which integrate OpenIddict or any new auth server.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 7, 2021

@blowdart "as I've said we already have a product in AAD which we believe offers a safer experience than having an app hold its own credentials."

Saying everybody should just switch and use AAD is too simple IMO. AAD isn't for everybody and has also some negative sides (besides many positive).

Without the Identity Server templates for (for example) Blazor WASM & Web API Microsoft doesn't offer any template anymore for authorization/authentication with a local DB. I just can't imagine this is what Microsoft wants, specially now that .NET 5/6 is attracting so many new devs. Furthermore oauth isn't the only way that leads to Rome, there are easier (and pretty safe) solutions like this one from Chris Sainty.

My question is: besides oauth is Microsoft thinking about templates (or docs) like the one from Chris Sainty

@the-black-wolf
Copy link

as I've said we already have a product in AAD which we believe offers a safer experience than having an app hold its own credentials.

And this sort of sales mindset is exactly what makes MS a poor custodian of .NET Foundation, riddled with conflicts of interest with CEOs agenda (mind you, in desktop side of .net this conflict is even worse than here, they are openly hostile to any attempts to advance and port desktop development). If .NET Foundation is just a front store for sale of Azure services, you should at least go ahead and admit it so people can plan accordingly for being dependent on you, don't spin this like you are doing us all a service by savings us from the perils of data protection while in reality you are doing a sales pitch for vendor lock-in (and once credentials are stored in AAD, it becomes a vendor lock-in).
These sort of architectural decisions on how a platform should be used should not be up to the maintainer of a development platform, any platform, don't care if its Java, Rust or .net. Development platform should empower, not restrict, because your interests do not always correlate with the interests of platform consumers and you know literally nothing about various local requirements. To that effect, I repeat, at the very least .NET Foundation should include a reference implementation for OpenID Connect and OAuth 2, like Java ecosystem has with MITREId. And you keep actively avoiding that so you can sell AAD, apparently being ecstatic that IS devs decided to compete directly with you for cash. I find failure of not having these features in ecosystem a far bigger problem for overall security than beginners not salting and hashing passwords in their databases.

This all reads like some bizarre EEE story in "open source", executed with all the elegance of an elephant in a glass store. No wonder there is so much resistance even from server side Linux crews to adopt .net core. Everyone is literally expecting the masks to fall off.

Just my 2 cents, but I suspect you are already aware of the emperor's new clothes. Now, let the fanboy pushback begin...

@poke
Copy link
Contributor

poke commented Jul 7, 2021

@JeepNL

specially now that .NET 5/6 is attracting so many new devs

Especially new devs should avoid thinking that they need a custom authentication server. Despite what everyone appears to think, having to roll your own identity provider is a special thing one should only do if you actually know and understand the consequences (and security implications).

@the-black-wolf
I understand your criticism with the .NET Foundation but expecting the .NET Foundation
to “just” ship these things for everyone to use free of charge is also not a solution. Who do you suppose should pay for this? Because this very critical work isn't coming for free and requires a lot of work and dedication.

We got into exactly this situation exactly because all those consumers of open source not giving a shit about the maintainers they continued to rely on. Don't compare this with other foundations which exist with a more healthy open source ecosystem where commercial offers are totally normal and accepted. But no, when this happens in .NET, people complain that Microsoft should provide these things for free — but without them looking for avenues to actually sell anything.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 7, 2021

@poke I'm not talking about an auth sever. Click the second link.

@poke
Copy link
Contributor

poke commented Jul 7, 2021

@JeepNL ASP.NET Core Identity is a very different thing than IdentityServer. The former is not going away so if that's what you are talking about, you are misunderstanding this thread.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 7, 2021

@poke Thank you for your nice comment.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 7, 2021

I really don't have the time (and the energy) for this,. Man oh man, what is it with these devs.

Goodbye,

@kevinchalet
Copy link
Contributor

kevinchalet commented Jul 7, 2021

Furthermore oauth isn't the only way that leads to Rome, there are easier (and pretty safe) solutions like this one from Chris Sainty.

My question is: besides oauth is Microsoft thinking about templates (or docs) like the one from Chris Sainty

@JeepNL amusingly, Chris' blog post is actually all about OAuth:

  • The Bearer HTTP authentication scheme he uses to convey his tokens is a pure OAuth 2.0 concept defined in RFC6750: https://datatracker.ietf.org/doc/html/rfc6750#section-6.1.1
  • The custom flow implemented in the blog post is very close to what's known as the "resource owner password credentials grant" in the OAuth 2.0 world (well, a non-standard equivalent, of course).

It's also interesting to note that Chris used SignInManager.PasswordSignInAsync() in his login action. He probably didn't realize it (I can't blame him, the name is probably a bit confusing), but this method doesn't only check the user password: it also returns an authentication cookie, which makes his method prone to CSRF/session fixation attacks (luckily, same-site=lax will prevent the cookie from being persisted by the browser if the request comes from a different domain, but users depending on older browsers that don't support same-site are definitely at risk). Switching to CheckPasswordSignInAsync() would certainly fix this issue.

If .NET Foundation is just a front store for sale of Azure services, you should at least go ahead and admit it

@the-black-wolf very interesting: I got renewed as a MVP a week ago - like most other MVPs - and this is exactly the criticism I made regarding the MVP program 😃

Again the community can, of course, produce community templates which integrate OpenIddict or any new auth server.

@blowdart well, that kind of contribution could also come from Microsoft, no?

When I read https://github.com/microsoft/dotnet/blob/master/docs/ecosystem-issues.md last year, I really hoped the Microsoft-OSS community relationship would stop being one-way. Things had largely improved when MSFT decided to use and sponsor a third-party OSS project like IdentityServer so it's sad to see the situation is now regressing.

Fun fact: soon after my ASP.NET Core 6 and authentication servers: the real bait and switch is not the one you think post was published, I received a few nice emails. One even suggested that projects like OpenIddict should be sponsored by Microsoft, just like IdentityServer was (and still is, actually). I doubt it will happen due to politics, but I would be very happy if MSFT contributed more to third-party OSS projects: not necessarily by giving money but also by dedicating a little bit of time to these projects.

The truth is they don't: I asked for help to implement Project Tye in the OpenIddict samples (I asked on Twitter and emailed someone from the ASP.NET team): nobody offered to help. Even the very few GitHub tickets I open - like dotnet/runtime#52611 or AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1641 - don't get much traction.

@peter-dolkens
Copy link

peter-dolkens commented Jul 8, 2021

Microsoft has an identity solution in AAD, which is free for up to 500,000 objects, and that's where the specialists are.

Nothing against the dotnet team, as the work they're doing in the space is incredible, - but the AAD product is ... lacking at best. It's slow, clunky, and error-prone, and I've found numerous glaring issues with it even when using it in Microsoft's own products. If you can't get a seamless AAD experience in the Azure Portal, then there's no way in hell I'd trust or recommend it anywhere else.

The beauty of offerings like Identity Server were the performance and ease of use they offered. You're absolutely right that security/auth requires specialists, and that's exactly what @brockallen and his team are.

If anything, I'd prefer to see Microsoft support the Identity Server team (and others like them) more, so they don't need to resort to a paid commercial model, or at least help subsidize the license. The internet is growing more and more security conscious, and you're giving up a gem if you let Identity Server fall to the wayside. AAD has way too much baggage for most use cases. There are places where it's appropriate, but for the majority of users - their new startup isn't it.

Nothing screams "security" like Microsoft Support spending weeks failing to assist us when we deleted the only account that had the super-duper-above-owner-above-co-administrator-above-administrator-no-this-role-is-more-elevated-than-all-the-others role. What did work? Me re-creating the email address on gmail, and signing back up to Microsoft with that account. Voila - the account we had deleted was suddenly super-duper-admin again - back from the dead.

I'm still locked out of billing on half our subscriptions - despite being a billing admin (different account). Nothing screams "user-friendly" like 20,000 default roles to choose from. Ah fuck it, just give them all Owner - that one actually seems to work - right?

And to be clear - yes, I realize there's a reason/purpose for all those roles, but like I said - there's a time and a place. Hell, even just hiding roles that have no impact on provisioned resources would get rid of 19,980 roles, and leave things looking much less intimidating. You shouldn't need to hire Microsoft Professional Services to figure out your Security Roles, just like you shouldn't need to hire Professional Services to figure out Licensing costs - but that's what Microsoft is good at.

@manigandham
Copy link

@JeepNL ASP.NET Core Identity is a very different thing than IdentityServer. The former is not going away so if that's what you are talking about, you are misunderstanding this thread.

@poke I'm afraid you're misunderstanding each other. What @JeepNL is saying is that Microsoft should create and maintain templates and guides for auth, with multiple OAuth providers other non-OAuth scenarios.

I agree completely. After all these comments, I think much of this issue can be resolved if there were a comprehensive set of docs and templates that have working auth setups with a multitude of providers - with clear notice about free, open-source, commercial costs. It would help steer people (both novices and experts alike) to the best choice for their situation without hunting around for blog posts and github threads, and it's far less work than maintaining an entire library. Perhaps still more than what the MS team is willing to do, but I think it's the best compromise for all involved.

@jbogard
Copy link
Contributor

jbogard commented Jul 8, 2021

Why is MS the one that's supposed to fund this? They have a product already, why would they build two.

MS could of course dump money into the .NET Foundation, or take over projects, or put out their own library. None of those leads to a healthy OSS ecosystem. What makes a healthy OSS ecosystem is the community.

If your company benefits from .NET Foundation projects, why isn't your company a sponsor? I'm a .NET Foundation member, and my company pays my annual dues.

If you're only a consumer, you're not truly participating in the community.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 8, 2021

@JeepNL amusingly, Chris' blog post is actually all about OAuth:

@kevinchalet Oops, my bad. I think I should've said 'OAuth Servers' or perhaps "Token Servers" like Identity Server and OpenIddict. It's actually your blog post, which I've mentioned in that comment (first link) why I wrote an extra comment here. I don't particularly enjoy this thread, and I've read each and every comment and wrote a couple.

I would like to have a template (or docs) provided by Microsoft which uses Microsoft Identity and a local DB (for Blazor WASM / Web API's) without the need for an oauth server. And the point you're making about Chris' code "SignInManager.PasswordSignInAsync()" is exactly the reason why such a template is IMO vital, as security is a vital part of every web application. Without it, well, bad things are waiting to happen. (For people who want to comment on this with: "that's why you should pay for IS or use AAD", please don't, you're missing my point.)

I only started using Identity Server because Microsoft supported it with default templates, a whole lot of docs and even support on GitHub. In fact Identity Server was the only templated option for using Individual Accounts with Blazor WASM & Web API. I spent a lot of time learning and implementing Identity Server, so when Duende made their decision to change their licensing terms it came as a bit of shock to me. I didn't anticipate on that. But okay, it's their product and I understand their decision (for the most part) also.

'So what now', I thought. Well, I waited for 7 months for an answer from Microsoft but their 'this decision is final' doesn't offer me (and many other devs) any answers or solutions only more questions. And questions from me on their blog or here about this are being left unanswered (which is a first, thank you very much).

So again, what to do now? Well, there's your OpenIddict which is a great project and I've the utmost respect for you developing and maintaining it. But what about the future? Maybe you'll choose the same path Duende has chosen, and I wouldn't blame you. Or maybe you just abandon it because maintaining such a big open source project just isn't any fun anymore with all the comments/questions you get and the lack of support (and answers to your questions) from Microsoft. And again, I wouldn't blame you.

I don't need an OAuth Server/AAD/Okta for my projects, the code from Chris' blog post is more than enough for me, but it's from 2019. I tried to update it to ASP.NET 6 Preview 4/5 and made a GitHub repo of it. But now you say Chris shouldn't have used SignInManager.PasswordSignInAsync() because it leaves an authentication cookie on the client. And I thought that authentication cookie (with all the info, ie: claims etc, in it) is a vital part of his solution, but you say that's not safe enough for people with older browsers? Well, I certainly don't know, but I would like to learn.

Duende's decision and Microsoft's decision to abandon supporting an oath server for individual accounts all together has also consequences in choosing other OSS libraries. If you can't trust Microsoft anymore to support a vital part of your project, who can you trust? So that's why I like Chris' solution so much. It leaves me independent of any decision anyone makes. For now and in the future.

And to Microsoft pushing AAD here (and on Twitter and everywhere) again and again and not acknowledging other needs I want to say this: Will it be free forever? Can you promise me that? In writing? And what about my data. Is it really mine? FYI: It's a rhetorical question, I don't expect any answers anymore from Microsoft in this thread. Like I said, this thread is everything except fun.

@manigandham Thank you for your comment, that's exactly what I meant. And you describe it far better than me.

@nenadvicentic
Copy link

nenadvicentic commented Jul 8, 2021

@jbogard So we are now in "post open source" world? So let's all move to paid solutions? Last I remember, and it seems like it was yesterday, is MS having mouth full of "open source is the future".

What is the point of .NET Foundation, if not helping OSS projects that Microsoft see a benefit from? Actually, backing by .NET Foundation persuaded (and misguided) too many people to start relying on IdentityServer in production.

So, basically, narrative has changed 180 degrees now.

@kevinchalet
Copy link
Contributor

Duende's decision and Microsoft's decision to abandon supporting an oath server for individual accounts all together has also consequences in choosing other OSS libraries. If you can't trust Microsoft anymore to support a vital part of your project, who can you trust? So that's why I like Chris' solution so much. It leaves me independent of any decision anyone makes. For now and in the future.

Like IdentityServer or OpenIddict, Chris' solution uses Microsoft's IdentityModel project to generate and validate JWT tokens: should this project disappear, he'd be left in an unsupported state like everyone else. You may think that such a critical stack couldn't be abandoned but sadly, you'd be wrong, as history proved that even something heavily used in MSFT's cloud solutions can be severely underfunded. Here's what I posted about IdentityModel in 2016:

It's quite obvious that the Azure AD team doesn't currently have the human resources needed to manage such an important stack. Maybe it would be worth considering assigning new developers to IdentityModel or transferring its ownership to another team? It seems that the WCF team is currently relying on private IdentityModel bits to make WCF work, maybe they would be interested in collaborating to IM?

(amusingly, that thread was almost immediately closed by @blowdart. I'm glad he's now less inclined to close important discussions so quickly 🤣 )

So again, what to do now? Well, there's your OpenIddict which is a great project and I've the utmost respect for you developing and maintaining it. But what about the future? Maybe you'll choose the same path Duende has chosen, and I wouldn't blame you. Or maybe you just abandon it because maintaining such a big open source project just isn't any fun anymore with all the comments/questions you get and the lack of support (and answers to your questions) from Microsoft. And again, I wouldn't blame you.

Regarding OpenIddict, I started working on it in 2015 and well, it's still here, free and open source 😄
While this doesn't say much about its future - tho I said multiple times I was not interested in making it a paid thing - you're right: you have no guarantee whatsoever. But this is true for every piece of software, paid or free, developed by third-party vendors or by MSFT itself: Katana had a great OAuth 2.0 authorization server (OAuthAuthorizationServerMiddleware, that heavily inspired me when creating OpenIddict). It was massively used - since it was part of the VS templates - but it was never ported to ASP.NET Core.

At some point, it's sadly a risk you have to accept. And the less you contribute to and sponsor OSS projects your business depends on, the greater the risk is.

@JeepNL
Copy link
Contributor

JeepNL commented Jul 8, 2021

Like IdentityServer or OpenIddict, Chris' solution uses Microsoft's IdentityModel project to generate and validate JWT tokens: should this project disappear, he'd be left in an unsupported state like everyone else. You may think that such a critical stack couldn't be abandoned but sadly, you'd be wrong, as history proved that even something heavily used in MSFT's cloud solutions can be severely underfunded. Here's what I posted about IdentityModel in 2016:

Haven't thought about that! I can't imagine it will happen, but you're right because recently I've been 100% wrong about 'something' similar :) And seeing how Microsoft is pushing AAD here and now, it is something I should anticipate on. OMG, I think I'm having a little panic attack right now 😉

The difference with Crhis' code from his blog post with Identity Server and OpenIddict is it's all what I need and it is simple enough for me so I could maintain it myself with some help from others and available docs about Microsoft Identity, as long as it is supported, yes.

In the next coming weeks I'll reserve some time to play with OpenIddict because you'll never know what can happen next and having more options sounds pretty smart to me right now. Thank you for your reply.

@clairernovotny
Copy link
Member

clairernovotny commented Jul 8, 2021

The .NET Foundation exists to provide support and services to its member projects, grow the .NET developer userbase, and help ensure the health of the ecosystem. It does not control member projects. We provide things like CLA bots, code signing services, legal and other professional services, cloud hosting, and more.

Microsoft does not control the .NET Foundation; its board does and the board is elected by the members. Our annual election is coming up and I welcome everyone to join as a member and vote.

The Foundation is not a front for Azure or any other provider. Amazon AWS is also a sponsor and we regularly promote their .NET content. We want to see and promote the use of .NET everywhere.

@nenadvicentic
Copy link

@clairernovotny Thank you putting it in very clear words. This is what I assumed from Microsoft's .NET Foundation announcements back in the day.

I just want to emphasize "grow the .NET developer userbase, and help ensure the health of the ecosystem." and maybe add direct/indirect help funding projects.

Nobody implied that Microsoft controls .NET Foundation, but - .NET Foundation can hardly create healthy .NET ecosystem, if .NET Core teams within Microsoft make decisions going against it. For example, topic of this thread - not recognizing a benefit of (real) OSS OpenID Connect solution implemented in .NET, even if with most basic level of features.

Instead, we had arguments here like "Microsoft backed OpenID Connect server would ruin OSS", ".NET does not have proper OSS community", "software can only be supported if it's paid", "move everything to AAD", etc....

@vivainio
Copy link

vivainio commented Jul 8, 2021

Microsoft SHOULD do the following:

  • Wire me 7400EUR
  • Create that example application they said they would do in the beginning of this thread, as an open source project
  • Allow that open source project to grow to be minimally production viable in toy scenarios (internal demo systems etc)

@rizamarhaban
Copy link

Okay, as deep as I read and try to understand, I think we could close this discussion for IdentityServer being part or built-in on the .NET. We should respect Duende Software decision and whatever Microsoft decision as well. I also think @clairernovotny make a clear explanation on the .NET Foundation position and their members regarding OSS projects.

Let's move on and keep supporting OSS. We are the one who use it, we learn from it, we contribute, we leverage from it, and we love it. So, let's support it and there is always an option.

@blowdart: IMO, this discussion will go nowhere as both parties had made their decision firmly. Regarding .NET 7 OpenId Connect tooling initiative, I think we can have separate issue thread on the matter. Looks like interesting to discuss.

@blowdart
Copy link
Contributor Author

blowdart commented Jul 8, 2021

To be frank, which obviously I'd prefer folks to use AAD, because I believe we provide a better experience for that, I'd be happy with any managed identity provider rather than you having a local database full of credentials, and the management and gdpr headaches that involves, be it okta, amazon, google or whomever.

@blowdart
Copy link
Contributor Author

blowdart commented Jul 8, 2021

However, yes, I think this has run its course as an issue, so I'm closing it.

The approach isn't going to change until .NET 7, and when we're planning for that a new issue on a test server and its features will appear for comment.

@blowdart blowdart closed this as completed Jul 8, 2021
@rizamarhaban
Copy link

rizamarhaban commented Jul 8, 2021

My last comment here:

I'd be happy with any managed identity provider rather than you having a local database full of credentials, and the > management and gdpr headaches that involves, be it okta, amazon, google or whomever.

@blowdart We all do and I believe we all agreed. However, sometimes we just want to develop locally first using OpenId Connect. And we can do it on a beach without internet connection or just for simple Run. Otherwise, we might need internet connection just to test client credentials. I mean an IoT device must test and must register the web API, setting up configuration via portal, etc. It is a bit counter productive IMO.

Here is my input for Microsoft

Could there be some kind of AAD emulator like Azure Storage or Cosmos DB emulator? If we can do this. All problem solved, at least for me.

@blowdart
Copy link
Contributor Author

blowdart commented Jul 8, 2021

Funnily enough that's what I'm looking at providing.

@dotnet dotnet locked as too heated and limited conversation to collaborators Jul 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests