Microsoft to fix longstanding issues with Identity in .NET, drops dependency on commercial IdentityServer

Microsoft to fix longstanding issues with Identity in .NET, drops dependency on commercial IdentityServer
A fix

The forthcoming .Net 8 will fix key issues in ASP.NET Core identity libraries, including removing a dependency on a commercial product which could land developers with license fee obligations simply by using a Visual Studio template, and working better with Single Page Applications (SPAs),

The first of these issues dates from October 2020 when the maintainers of a popular open source .NET framework for identity and access control, called IdentityServer, concluded that their sponsorship-based business model was not working and said: “The current version (IdentityServer4 v4.x) will be the last version we work on as free open source.” Duende Software’s IdentityServer requires a paid license if used commercially by organizations with more than $1 million annual revenue.

This was a problem for Microsoft because IdentityServer was a dependency of the ASP.NET Core libraries, when used for issuing JWTs (JSON Web Tokens) for SPA and Blazor applications. In May 2021, Microsoft said “the .NET team are not OAuth and OIDC [OpenID Connect] experts” – a remark which came as a surprise to many – and that it would continue to ship IdentityServer in its templates. The impact was that many developers either had to replumb their identity code or put up with a substantial fee of $12,000 annually. “The problem with this is not the commercialization of it – I have no quarrel with developers who need to make a living – it’s the size of the gap between free and supported,” said one developer at the time.

Microsoft now says it will fix this in the forthcoming .NET 8. “New endpoints will enable token-based authentication and authorization in Single Page Applications (SPA) with no external dependencies,” said principal program manager Jeremy Likness. “We plan to remove the dependency on Duende’s IdentityServer from our SPA templates.” Developers will be able to continue with the Duende solution if they choose, but it will not longer come by default.

The Duende libraries included by default in some ASP.NET Templates can require license fees of $12,000 annually if used commercially

Along with this change, the company promises to fix another issue with its SPA templates – that the simple “individual accounts” option in ASP.NET Core identity management, where user accounts are stored in a customer-managed database, is not actually compatible with the SPA model.

“The traditional way to customize the identity-related pages forces your app to revert to server-rendered web pages,” acknowledged Likness.

This will now change, with the identity platform adding support for token-based authentication, fitting better with SPA frameworks like React, Angular and Blazor.

Getting authentication, authorization and identity management right is hard. Using the Visual Studio templates is great for ease of use, but managing identity still requires care, as Microsoft itself was reminded when researchers discovered a misconfiguration in an application intended for internal use. According to the researchers, “25% of all the multi-tenant apps we scanned were vulnerable to authentication bypass,” where developers have successfully required an Azure AD login, but not verified that the login is from a user entitled to use the application.