4

IdentityServer4 is open source version supporting .Net Core 3.1 and I got to know that next version is not open source and requires a license.

We need to use IdentityServer in a .Net 6 project.

Can we take IdentityServer4 source code from github and upgrade it to Net 6.0 and use it? Are there any limitations?

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
Ramakrishna Bandaru
  • 49
  • 1
  • 3
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Dec 03 '21 at 20:40
  • This is more of a legal question about licensing. You may be allowed to fork it prior to the license change, but then you're on your own to maintain it, and security is something most people/companies aren't qualified to maintain themselves. – brichins Dec 30 '21 at 22:35
  • You don't need to run identity server on .NET 6. Its very viable to run IdSrv4 on .NET 3.1 as its own project (which is the normal usage anyway) and have your other services that auth against it be .NET 6 – Tseng May 14 '22 at 20:15

1 Answers1

4

That isn't how Apache licensing works. You absolutely can fork the open source identity server 4 3.1 version and port each component to 6 legally. The authors can be rankled by it, but the license -cannot be revoked- , it lives in perpetuity. Here is the blurb on the ID4 license: https://github.com/IdentityServer/IdentityServer4/blob/main/LICENSE "A permissive license whose main conditions require preservation of copyright and license notices. Contributors provide an express grant of patent rights. Licensed works, modifications, and larger works may be distributed under different terms and without source code." and can be used for + Commercial use + Modification + Distribution + Patent use + Private use

You can see it doesn't say the license is revoked, but that you have to credit them in the source code + License and copyright notice + State changes. That is because Apache 2 licenses are un-revokable.

and from the Apache License itself The Apache License 2.0 section:

"Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form."

I'm no attorney, but, as has been stated all over the interweb if FOSS software authors could -after the fact- revoke licenses, -nobody would risk using them- as they could have predatory companies just wait for a product release and then BAM....lawsuit. Sounds like a great predatory business to start...like ambulance chasers but in the software field.

Here is what the actual attorneys think about it: https://www.zdnet.com/article/no-you-cant-take-open-source-code-back/

Jonathan Lewis
  • 49
  • 4