|
|
|
|
|
|
by melony
1483 days ago
|
|
|
Their offical "SPA API Auth" involves paying for a third party OAuth server (called Duende IdentityServer, the ASP.NET Core built-in auth solution on the other hand is called ASP.NET Core Identity) and Microsoft refused to ship their own server because that would be "competing with the open source community" (there are multiple long Github threads on this which Microsoft product people would lock and mute). I wonder which PM got kickbacks for that decision. Originally Duende IdentityServer was free under Apache, and then they immediately turned into a paid solution after they became the "official" solution for API Auth. Microsoft also claims that standard cookie auth cannot be used for API Auth in a SPA scenario (their security engineers insist that you use JWTs), if you look through their Github issue threads, the ASP.NET Core engineers seem to believe that the default ASP.NET Core Identity generic cookie auth is for MVC only and it is "not recommended" for use with SPAs. https://docs.microsoft.com/en-us/aspnet/core/security/authen... https://duendesoftware.com/products/identityserver They like to hide their dirty laundry behind clever developer advocacy teams and drowning it in Github bureaucracy but here are some examples: https://github.com/dotnet/AspNetCore.Docs/issues/25832 https://github.com/dotnet/AspNetCore.Docs/issues/7644#issuec... https://github.com/dotnet/AspNetCore.Docs/issues/24157 https://github.com/dotnet/AspNetCore.Docs/issues/18524 Their PMs are not building an open source product in good faith. As far as they are concerned, ASP.NET Core primarily exists as a funnel to send customers into Azure or buy stuff from Microsoft partner companies. Imagine if Vercel one day removes the standalone server hosting option and requires you to pay for their serverless cloud to use important features. This is what Microsoft is doing here right now with ASP.NET Core. If you lock your stack into their ecosystem, then be prepared to spend money either on redundant cloud subscriptions or developers reinventing the wheel on core features |
|
|
I somewhat sympathize that Duende's unpaid support costs went up once Microsoft pointed a lot of heat their way by including it in official samples, and they should get paid for support. I also somewhat sympathize that closing their source was seen as the easiest option to redirect the community to paid support plans.
But it's still a jerk move in the Open Source community to have code be open source for more than a decade and then close it simply because it was used in one tutorial/sample too many.
Sure, Microsoft could have offered sponsorships or other help, had Duende asked. Supposedly Duende didn't ask, their first public response was when they immediately went closed sourced because apparently they never really cared about Open Source.
There are people not building an open source product in good faith in this story, but it doesn't seem to be Microsoft (surprisingly).
Microsoft probably should replace IdentityServer with something that actually wants to be good Open Source in the samples again. They are between a rock and a hard place because if they fork the last Apache versions of IdentityServer they look like the bad guy for "stealing" Duende's work at that point, and they can't resurrect their old code because it was bad. They probably have to wait for some third party fed up enough with paying Duende for bad faith Open Source to make their own fork.