Who's still on IdentityServer 4, and why?

[maartenba]

When looking at NuGet, I noticed IdentityServer 4 still has many downloads. Which makes me curious: who's still on IdentityServer 4, and why?

Is it because your solution is locked on an older .NET version? Is it OSS vs. license? Is it a case of "it's deployed, we don't touch it anymore"?

Would love to hear your reasons!

[aarondglover]

Combination. If it ain't broke don't touch it and the license.

Deployed it for a fairly small application with a couple hundred users. Was definitely overkill for our application but saw it as an opportunity to learn to do Auth the 'right way'... But change of license crueled my interest and I don't want to break things for something which was overkill in the first place.

[maartenba]

Thanks, that's very insightful (and also was one of the things I'd expect here)

As a follow-up, if this solution is still in production, how do you mitigate security/vulnerabilities for it?

[nickverschueren]

We are in the process of moving away from IdentityServer 4. We would have loved to move to Duende IdentityServer, but the pricing really made that impossible. We do not have a lot of users, mainly a couple of backoffice applications for our products, but we do have a lot of services providing data to these applications and interacting with each other, about 50 in total. This means Enterprise edition in your current pricing model which is prohibitively expensive.

[maartenba]

Would you qualify for the community edition based on revenue?

[nickverschueren]

Not by a long shot, but we are not a software company. We have a lot of products and services worldwide. However we have to justify our costs relative to the contribution that our software makes to the overall turnover of the company. In that respect we cannot justify spending 20K per month. That would more than wipe out the profit for the activities that this software relates to.

[maartenba]

Got it, thanks! 20K per month seems a bit excessive. Enterprise plan is 20K per year currently. Feel free to reach out to me (maarten at duendesoftware com) if you'd like to discuss.

[ghlund]

I tried to procure a license for IdentityServer in the company I'm working with but our legal department refuses to accept your offer. As I understood it we could end up in a scenario where we need to pay you money if we do something bad with IdentityServer and the amount of money was in the range of millions of dollars.

So right now we are stuck on IdentityServer 4 and can't procure a license from Duende because of your terms so we need to find something else like Keycloak or whatever to solve our needs.

Anything you know anything about? Any plans to change this?

[ghlund]

My first idea was actually just that, try to fire the legal department ;)

But their points kind of make sense:
"The largest problem is unbalanced liability"
"Our view is the liabilities should be bilateral and capped to annual invoicing"

[ghlund]

The license cost is not a problem because that we have customers paying for.

But risking millions of dollars of our owners money is not something I'm allowed to do.

[maartenba]

@ghlund would you mind reaching out via maarten at duendesoftware so I can do some research internally?

[ghlund]

Sure :)

[maartenba]

Meanwhile followed up and happy to discuss/keep going in e-mail, seems this is a difference in viewpoint between lawyers that they would need to discuss.

[sebastienlabine]

When looking at NuGet, I noticed IdentityServer 4 still has many downloads. Which makes me curious: who's still on IdentityServer 4, and why?

Is it because your solution is locked on an older .NET version? Is it OSS vs. license? Is it a case of "it's deployed, we don't touch it anymore"?

Would love to hear your reasons!

I have to say that I'm fairly dissapointed in this company. You proceed to ask this question before wiping everything off the internet about IDS4. I understand the push for your paid product, but by doing so you can be sure I'll never opt for this paid product.

[maartenba]

The question was a personal one from my side, and genuine curiosity into reasoning. Combining both I understand how this can be seen.

Regarding the IdentityServer4 repository - our fork has been made private. There are over 2000 forks available on GitHub for anyone to continue working with.

If anyone wishes to maintain a fork, they are fully entitled to under the Apache 2 licence terms.

There are multiple important reasons why we made our repositories private. IdentityServer4 went out of support when .NET Core 3.1 reached end of support (December 2022). It contains multiple known security vulnerabilities and bugs, while at the same providing outdated documentation and information.

The repository displayed a warning about this, as do the NuGet packages, they are still being cloned and used - with folks actively putting vulnerable code into production.

We can not in good faith keep code on the Internet that will cause security issues for users.

[maartenba]

(offtopic) I see in your company profile that I'll be in your city next week - happy to have a coffee together if you'd like.

[damianh]

As a gesture, we’ve made the IdentityServer4 repository public temporarily so that you make your necessary arrangements for Smartbills. The repository will revert to private on Feb 28th. See Maarten's comment below.

Thank you.

[sebastienlabine]

@maartenba @damianh Appreciate the gesture, but it's about more than just the code. All the legacy issues, discussions, documentation, and solutions that were there will all be gone, making life harder for anyone still relying on it, while making sure identity server 4 deranks from google.

Also, as @d0pare said, by simply by looking how it was exectued and with your explaination it's clear it's a business move, which I totally understand. I don’t blame the business decision, I blame how it is executed, it’s but it's truly unfortunate for the community. A lot could have been done differently.

[maartenba]

Thanks folks for feedback here! We have just made the repo public again in an archived state, along with some other updates to balancing the issues still being available, but making it a more intentional step to go look at the code (switch branches). https://blog.duendesoftware.com/posts/20250306-identityserver4-public-again/

[d0pare]

Why did you delete the IdentityServer4 repository instead of archiving it?

You also changed the statement that you were going to archive it. IdentityServer/.github@a77f7c8

[maartenba]

Expanded on the reasoning in https://github.com/orgs/DuendeSoftware/discussions/36#discussioncomment-12261407

[damianh]

As a gesture, we’ve made the IdentityServer4 repository public temporarily so that you make your necessary arrangements. The repository will revert to private on Feb 28th.

Thank you.

[d0pare]

I'm asking this question only because IdentityServer has sentimental value for me. I learned a lot about OAuth, explored it, and made a few minor contributions, which made me feel proud. Saying there are 2000 forks, but we will hide the repo because it has a security issue doesn't feel right.
I can understand if this is a pure business decision to limit liability and improve your copyright protections.
Anyway, wanted to share my perspective. Wish you the best and thank you for maintaining this beautiful open-source project for so long.

[maartenba]

As a follow up - we have made the repo public (and archived) again permanently. We think we found a good approach to balancing the issues etc. still being around, the code still being there, but making it a more intentional step to go look at it. (thanks to @ChrisSimmons for their suggestion https://github.com/orgs/DuendeSoftware/discussions/36#discussioncomment-12357031)

[ddonabedian]

We switched to SimpleIdServer, it's free, open source, feature rich and actively maintained: https://github.com/simpleidserver/SimpleIdServer

[ChrisProlls]

What is your feedback on using SimpleIdServer on production ? We have +100 OpenID clients that will need to be registrered into the identity server, will it scale correctly ?
And how is it customizable ? For ex, we have a use case where we need to change the encryption of the JWT token, is that possible ?

[simpleidserver]

@ChrisProlls : Hello, I'm the lead maintainer of SimpleIdServer. The solution is scalable, and some users have already migrated from IdentityServer to our platform, successfully running it in production environments.

SimpleIdServer differs from IdentityServer in that we are developing a fully open-source IAM solution, making it more comparable to Keycloak.

The solution is highly customizable through the administration website—technically, almost anything is possible. However, we do need more technical documentation. :)

If you have any suggestions or questions, feel free to create tickets in our project!

[maartenba]

Thanks folks! Please continue the discussion over at https://github.com/simpleidserver/SimpleIdServer (let me know if this needs to be another link)

[gitSergeyK]

It's because we deeply integrated it with our already existing authentication system as an authentication front-end. And supporting our integration code in our own fork.
Honestly, IdentityServer4 was almost industry standard for some time, have lots of documentation and Q&A worldwide and closing the repository is a very questionable decision. Duende will probably be remembered not as "guys who supported the best C# OpenId implementation", but as "morons who buried a great opensource project, don't have any business with them". Still hope that you will reconsider.

[maartenba]

Thanks! Reasoning for the repo in https://github.com/orgs/DuendeSoftware/discussions/36#discussioncomment-12261407

[ChrisSimmons]

Maarten, I don't use IdentityServer 4 any longer but I must admit I'm a little sad it's now been hidden from the public. To be clear, I completely understand and agree with your position on not wanting this now outdated (and broken from a security modernity standpoint) code gone. I would feel the same. Would it instead be possible to, say, wipe out everything but the README.md, commit that to main, (re-)archive the repo, and restore public visibility to the repo? There is a wealth of instructional value lost in the code, and additional value in the many issues filed. I hope an arrangement like this meets with your personal views and the legal position of Duende.

Whatever your response to this, I want to offer my thanks to you and Duende. I learned so much about this area of technology from the years I did use the product. I wish you all nothing but great success!

[maartenba]

We have been discussing this over the past few days and have decided to keep the repo up, but in a DuendeArchive repository (and the main branch cleared out in favor of an archive branch, as you suggested).

Full reasoning: https://blog.duendesoftware.com/posts/20250306-identityserver4-public-again/

Thanks for your feedback here!

[ChrisSimmons]

Excellent news, @maartenba!