Planning about the IdentityServer Upgrade/Switch #7221
Comments
|
For now IDS4 is great, so I'd personally stick with it for a while until we know how this changes things. The Duende special offers page says it is free for open source projects, development environments, charities and small companies. It might be worth you guys sending Duende an email to see how you can partner up to offer IDS5 to your commercial clients to make the process simpler for the client and potentially generate sales for Duende too? For example they offer ISV licensing too. |
|
IDS4 is great atm. No need to change: "This repo will be maintained with bug fixes and security updates until November 2022." Wait for the complete .NET 6 MS Roadmap for a possible/alternative switch: dotnet/aspnetcore#27883 |
|
I/we agree with sticking with IDS4 for a preset period (1 year/.NET 6 release), although I do think we should consider fork and maintenance approach if no solution arises in time. I think this community has the capability of carrying the load that comes with it. Also, can this important issue be pinned? I think it is quite important that people give their opinion. |
|
Pinned the issue. Thanks for reminding. |
|
I agree that sticking with IDS4 is currently the best option (at least this year). After that I hope that MS finally comes with its own solution. |
|
Sticking with IDS4 for the time being sounds good. Microsoft will surely tackle the issue sooner or later, they chose IdentityServer because it was free and open source. Now they have to decide on this once again. I made a quick peek at Duende. Licensing seems quite restrictive. At the Starter edition ($1500) it's limited to single issuer URL with 5 OAuth clients. Correct me if I'm wrong but seems like a bad deal for SAAS with tenants which is one of the great strengths of the ABP framework. I believe IDS4 has this unlimited? With Duende that would be $12000/yr. Whoa 🤯. |
|
Yeah I found the same although Duende's license table has improved in 1 month; I was trying to look for open (free) gaps in the licensing, but RPL just makes it near impossible and we're not even commercially involved. Do you guys think MS will pick this up? Heard some very mixed reactions on IDS's repo/blog reactions on how MS ignored this whole situation. What will make it different in future? What is their incentive? |
|
hello, personally, I have already used openiddict, and I think it will be a good alternative. Regards |
|
I think there should definitely be an openiddict module and to be able to choose between ID4 and it. |
|
Also. We should consider passwordless auth through FIDO2/WebAuthn. https://deblokt.com/2020/01/24/08-part-1-identityserver4-mfa-fido2-yubikey-5-net-core-3-1/ put us on the right track, https://webauthn.io/ helped us to understand how it works. Would be nice not to worry about phishing attacks, eh? |
|
As I said on another issue, maybe the Keycloak (https://www.keycloak.org/) can be an alternative. |
While possible it's not something .NET community will ever pivot to. It's written in Java, NET's mortal enemy you know 😅. You'd need separate setup and use adapter to talk to it. OpenIddict would make much more sense. |
yes its not possible but not because of java vs dotnet its about self hosting the application with the identity-provider adding Keycloak will add more frustration on top of already complicated solution |
|
Are you considering integrating Dapr and using sidecar to integrate with other open source identity server? |
|
Microsoft on the topic: |
|
OpenIddict seems the best approach. For a smooth transition, we will try to support both. Anyone had problems with OpenIddict before? :) |
|
I think we should add an adapter layer for the authorication/authorization module. Left the user can choose the option. The old projects will be impacted to much if switch directly. |
|
I think most of above posts are just continuation of not the best implementation of authentication. Even first post directly from ABP developer doesn't solve ABP's biggest issues with Oauth. ABP is tightly coupled with IdentityServer and it's not as simple to just switch. We would suggest it's completely redesigned so ABP supports different Oauth providers. We are however inclining to solution where ABP would add adapter for authentication. This way users can add any providers they want very easily instead of having to change a lot of core ABP files. Not all users want to use IdentityServer, or Duende or OpenIDdict.. the only solution that is set by default from ABP. Different users have different Oauth needs, we found fixation to single Oauth provider without ability to easily switch the provider to be a big setback and limitation of ABP. |
|
I agree that we must decouple things from IDS4. There are many interesting projects out there that can be an excellent alternative. I also hope the priority of this will be stepped up. |
|
Is there a clear time/plan to complete this feature? Our business users always concerning about the identity server future. |
|
With version 6 onwards Duende is changing licensing model, Community Edition will no longer have any limits and will be feature equivalent to Enterprise Edition. Duende IdentityServer v6 released |
|
That's good news, but it's still 1,500 USD / year for companies making >= one million USD gross annual revenue. We have switched to OpenIddict. |
|
Hi, why not suggest a template with Azure Aad B2C as primary Identity provider? |
|
We are currently working on a solution. We will try to make it changeable as easy as possible. So, anyone can use, for example, Azure, Okta or Keyclock and completely drop ABP's IdentityServer and even the Identity module. Let's see the current situation:
So, if we drop IDS and only provide an external login (like Keyclock, okta, azure, etc), it won't be even possible to run Angular and Blazor UI without any cloud provider or external process (like Keyclock server). I believe no one wants that, especially if you are building a relatively simple application and all you want to do is to login the user to your application. So, in that case, we should also support a built-in authentication server that can capable of implementing some or all of these auth flows. If we should provide a built-in auth server, we have two possibility now:
I don't know any other mature open-source project that can add embedded auth server functionality to your application. We will definitely support external providers (like Keyclock, okta, azure, etc) (actually it is currently possible because ABP is modular and IDS is a removable module, but we will try to make direct integrations or prepare guides to show how to do that). However, we have not a flawless solution for the built-in auth server - even Microsoft doesn't provide a solution you know, so how we can do it :) This is a big problem in .NET platform right now. I will write here as we take progress. It is appreciated if you write your thoughts. |
|
We recently built our own auth server using OpenIddict + ASP.NET Core Identity. At first it seemed like a huge amount of work compared to IDS, but in the end it was pretty straight forward and the result is flexible and powerful. With ABP you already have a lot of pieces in place. Yes, there is no guarantee OpenIddict will always be maintained and free, but hey - that's the nature of open source :) And by committing to it you will increase it's chances to prosper. |
|
@gerryge I didn't remember this, I will check it, thanks 👍 |
hikalkan
added
in-progress
effort-md
and removed
in-progress
priority:normal
effort-md
labels
|
Hi all, I've created an announcement for this topic. You can continue to conversation there if you like: #11989 |
|
@vijay2358 please write to [email protected] I can see emails coming here. Thanks. |
Duende IdentityServer has been released: https://blog.duendesoftware.com/posts/20210114_v5_release/
Now we have a few options;
We welcome any suggestions.
The text was updated successfully, but these errors were encountered: