 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Developers weren’t happy when identity and access control software company Duende commercialized its open source IdentityServer product in December 2022, while also initially deleting its supporting documentation from GitHub.
Rock Solid Knowledge (RSK), a software development company based in Bristol, UK, is a longstanding contributor to the IdentityServer community and is now dedicated to ensuring that open authentication infrastructure platform services continue to live on.
RSK decided to fork the project and maintain an open source identity security offering with the same (but now expanded) set of authentication technologies as the original project; the new Open.IdentityServer platform was released on Tuesday.
RSK’s founder, Andrew Clymer, tells The New Stack that “free software doesn’t have to mean abandoned software” and that IdentityServer4 left behind a huge community that still deserves a future.
“Open.IdentityServer gives those abandoned developers a modern, supported path without forcing a commercial decision on day one. Open source succeeds when adoption comes before monetization,” Clymer says. “Open.IdentityServer demonstrates you can have a professionally maintained platform that’s free forever while still building a sustainable business around commercial extensions and services. We think that’s a healthier model for everyone.”
A manifesto by RSK published this month states that Open.IdentityServer will remain free and open source. It said that commercial offerings will remain optional and will “finance the free core,” but that the open source community will “always have a voice” in the direction of the project.
“Free software doesn’t have to mean abandoned software. Open.IdentityServer gives abandoned developers a modern, supported path without forcing a commercial decision on day one. Open source succeeds when adoption comes before monetization.” —Andrew Clymer, Rock Solid Knowledge.
Based on the Apache 2.0-licensed IdentityServer4 codebase, the platform provides an OpenID Connect and OAuth 2.0 framework for .NET applications, supporting token-based authentication, single sign-on, and API access control. The first release, Open.IdentityServer v1.0.0, was published on June 1.
The DuendeArchive page on GitHub has stated that IdentityServer4 contains “multiple known security vulnerabilities and bugs” and has outdated documentation.
Head of customer success at Duende Software, Maarten Balliauw, blogged on his company’s own pages to confirm that IdentityServer4 went out of support when .NET Core 3.1 reached its end-of-support date, as previously stated back in December 2022.
“IdentityServer4 contains several known security vulnerabilities and bugs, while at the same time providing outdated documentation and information,” writes Balliauw in a post published in March of last year.
According to Balliauw, the repository displayed a warning about these issues for many years alongside similar flags related to its NuGet packages (zip files containing compiled code and libraries used to share and reuse code in .NET applications). However, Duende saw that the “source code was still being cloned”, so the packages were being used by developers and put into production.
A Duende IdentityServer Community Edition with the same features as the Enterprise Edition remains available for use by individuals, not-for-profit companies with less than 1M USD projected annual gross revenue, and non-profits with less than 1M USD annual budget.
As admirable as this appears, RSK’s Clymer isn’t won over.
“This approach only works for a small number of organizations and early startups,” he says. “When your startup business starts to take off, you don’t want to get hit with a bill or face an expensive migration to another platform. Businesses need certainty, no large annual price rises. Open.IdentityServer provides this ‘for free, forever’, and that’s a pledge we’ve made in our manifesto; this is not a short-term initiative, we are here to invest in the platform, protect it and grow it.”
“A fork is only viable if a team of developers is prepared to own it for the long term… and we are.”
RSK is buoyant about open source purity; the company says the launch of Open.IdentityServer brings the kernel of IdentityServer closer to its original open source roots. The open-source model provides organizations with a free, production-ready core that can be supplemented with optional commercial products, services, and enterprise support.
Should we take this forking of a decommissioned open-source project as an exemplar beacon to guide other scenarios of this kind, if and when they occur? Is this method now a viable long-term strategy for sustaining critical developer infrastructure in the face of proprietary lock-in?
“Absolutely, that’s what it is,” confirms Clymer. “A fork is only viable if a team of developers is prepared to own it for the long term… and we are. Open.IdentityServer isn’t a side project; it’s the foundation of our business, which gives us every incentive to keep it secure, modern, and actively maintained.”
But Open.IdentityServer is bright, shiny, and new, so the team is naturally bullish about ease of use and platform purity. Teams currently locked into Duende’s commercial core license or still running unsupported IdentityServer4 might think it’s not a straightforward task to migrate their existing IdentityServer deployments to Open.IdentityServer primarily because there’s not usually such a thing as a free lunch.
“We’ve catered for that consideration, fully and comprehensively,” assures Clymer. “It’s super straightforward, and our team has produced explainer videos that show how it can be done in less than 10 minutes when software engineers migrate from Duende. Open.IdentityServer schema is compatible with Duende, so there are no database migrations; just change the NuGet packages, and you are pretty much done.”
Clymer asserts that these mechanics make it “very easy to evaluate” whether this platform is right for any given deployment. For new builds, there’s a template that gets developers up and running in less than 30 minutes, with a UI for managing configuration.
In terms of open-source model pedigree, RSK is also a longstanding contributor to ecosystems such as IdentityServer, OpenIddict, and the Umbraco CMS.
Open.IdentityServer is available on GitHub, where Rock Solid Knowledge maintains the public repository and documentation and welcomes contributions from the wider community.
