.NET 10 is out.
This likely means you and your team have been, or are starting to consider, the path of stability, predictability, and reduced maintenance overhead that an LTS offers for your applications. If that’s the case, we assume you may also be asking yourself and your team, “How secure is our IdentityServer4 implementation?” Or maybe it’s, “Hey, .NET 10 is out. Wait. Is IdentityServer4 supported?” Or that custom security solution that you hurriedly implemented years ago is now causing you more pain and heartache than you want. “What does it take to move to modern standards like OIDC, OAuth2, and PKCE?”
If you’re thinking about any of these scenarios, now might be a good time to upgrade. From our perspective, it’s an excellent time to choose Duende IdentityServer as your OAuth and OpenID Connect provider. You’ll future-proof your solutions for planned initiatives, make your development team happy with how much control they’ll have, and impress your CTO with how extensible Duende IdentityServer is to the changing needs of your business.
All We Want for You is the Best Security
Life is flux. Heraclitus. Smart guy. It was true 2500 years ago, and it’s true today—especially in the world of technology and security. Security is constantly evolving, and the paradox of modern software is that services will solve all the pain points. The flux of maintaining the safety and integrity of an existing system and evolving business needs will not go away. As software developers, it’s our charge to tackle dependency changes, operating system patches, vulnerability discoveries, and numerous other challenges.
At Duende, we ship our philosophies. We know it’s tough to keep up all the time. But we want you and your systems to have the best security at all times. With Duende IdentityServer, we continue to invest in maintaining high security standards and practices while surveying and mitigating potential risks in the SDK solution. Our team works closely with the Internet Engineering Task Force (IETF) to ensure not only that specifications meet security expectations, but also help shape the future of security in the .NET space. Additionally, now is a great time to consider Duende IdentityServer v7.4, as it has passed the FAPI 2.0 compliance tests, enabling e-health and governmental organizations to strengthen their security posture.
The Balancing Act of Cost and Value
Balancing cost and value is a serious consideration for many teams, and we aim to demonstrate that Duende IdentityServer is a worthwhile investment. Over the last 20 years, software developers have been the most valuable members of organizations, transforming how businesses operate and people live their lives. We also want to acknowledge that technology team budgets are becoming increasingly tight. In a tough, competitive market, as software developers, we’re expected to do more with less. We also recognize that, as professionals, we are expected to deliver highly informed and reliable recommendations, while being fairly compensated for the valuable work we contribute to our organizations.
What’s the cost of an unsupported or custom identity and security solution?
A secure system built 9 years ago is likely to have vulnerabilities. For example, in IdentityServer4, a known Open Redirect vulnerability (CVE-2024-39694) still exists in the codebase. Additionally, IdentityServer4 was designed to target the discontinued version of .NET Core 3.1, which ended its support in December 2022. We understand that a system built with IdentityServer4 may still functionally “work”, but it may not meet the security standards set by your organization or governing bodies when under a strict audit.
What’s the value of an SDK identity solution, though?
According to ZipRecruiter, the average annual salary of a C# developer in the United States is $121,000. An organization hiring a dedicated security developer to build a solution identical to Duende IdentityServer, participate in IETF meetings, implement and maintain it, document a public API, and scan for potential security vulnerabilities would quickly exceed the cost of a single Enterprise license. Luckily, we also offer starter and business licenses for budget-conscious teams. It’s also important to note that security is an ongoing maintenance expense; therefore, once you’ve invested in a security approach, it’s a long-term commitment.
With a purchase of a Duende IdentityServer license, you not only get access to an SDK to build your security solution, but we like to think you supplement your existing development team with a stable of Duende security experts ready to answer any questions, attend IETF meetings advocating for your .NET security needs, write documentation and samples, and much more. Whether you have a large or small team of developers, you now have a few more to help, while having your core development team focus on the direct needs of your stakeholders. In our opinion, that’s a great value.
How Else Can We Make this Easy on You?
Smooth Migration Paths
We understand that upgrades can come with unexpected headaches. We’ve worked with customers who have already upgraded their IdentityServer4 instances to find the most stress-free upgrade paths. You can find these guides on our documentation site. For organizations with custom IdentityServer4 implementations, you can book a complimentary assessment with our customer success team to help estimate your upgrade effort. We’re here to help your organization properly allocate resources and pave the way for a successful migration.
Experience and Maturity
The evolution of Duende IdentityServer has grown with .NET and has experienced every iteration of the .NET platform. This makes Duende’s security products some of the most mature and recognizable in the .NET ecosystem. We have over 2,500 customers worldwide and counting.
The benefit of choosing Duende IdentityServer is that you’ll find individuals with experience with our products and who understand how to build, manage, maintain, and customize them to meet your organizational needs. We also have a strong partner network that has helped implement Duende products for over a decade. By choosing Duende IdentityServer, you’re not only getting an SDK product, but you're also getting decades of security experience codified into a solution that helps your organization ship standards-compliant, secure solutions.
Growing and Vibrant Community
We have excellent documentation and samples to help your development team implement, maintain, and deploy Duende IdentityServer. That said, we also have a great and vibrant community of experts ready to help answer any questions your team may have, or you can temporarily supplement your team with recognized Duende Partners. The strength of Duende’s community can be the difference between slipping deadlines and delivering a security solution on time, on budget, and to happy stakeholders.
Conclusion
Security is foundational to every modern application built and maintained by software developers, just like you. The security of your organization is constantly evolving based on numerous factors beyond your control. But one thing you can control is your application’s dependencies and the security protocols used to protect sensitive organizational assets.
If you’ve been on the fence about upgrading your current security, whether that’s a now-discontinued version of IdentityServer4 or a custom security solution, we hope this post encourages you to do so. If you would like to discuss an upgrade from IdentityServer4, please contact us. Don’t wait. All we want is the best security for you. We would be happy to have a conversation to help you make the best decision for your team, business, and identity and security solutions.