Business Edition Licensing Details

[sarkalgud-b]

Which version of Duende IdentityServer are you using?
Version 7.x

Which version of .NET are you using?
.Net 8.0

Describe the bug
Details about the Licensing and allowed usage of the software

A clear and concise description of what the bug is.

1. Does every Client App in every environment take up one Client Id (Dev, QA and Prod)? Is there a way to exclude non-prod apps deployments.
2. Is there a place where I can see the number of client ID usage for my license?
3. Is the licensing Domain based.. ? If we have two products hosted under different domain names, can we share the same license as long as the client Ids are less than 15?

[RolandGuijt]

1. You don't require a license for Dev an QA. You can just omit the license in these environments. IdentityServer will enter trial mode with all Enterprise features enabled. You're also free to use your existing license in these environments and the client ids there won't count.
2. IdentityServer is simply counting the number of configured clients. (See note below)
3. No. Two instances will require 2 licenses.

Note:
The coming 7.1 release (coming very soon) will contain new license usage helpers that are able to report details around the usage of your license.

[simon-biber]

What if we choose a redistribution licence Business Edition at $15,000 USD/year for 5 client IDs? Does that mean, since it has unlimited redistributions, there are also unlimited instances, and each instance can have a separate 5 client IDs?

[AndersAbel]

@simon-biber Yes. A redistribution license allows unlimited instances both internally and on your customers' premises (or their clouds). Note that each instance of business only allows a single issuer while Enterprise allows a single hosted instance to respond to multiple host names and have multiple active issuers. If you use business redistribution you would have to create a separate hosted instance for each host.

Also note that a redistribution license is tied to a specific product/solution, which is not the case with the Enterprise license. If you have two different self-hosted solutions/products that both use IdentityServer they are covered by a single Enterprise license, but would require two redistribution licenses.

[RolandGuijt]

@simon-biber Can we help you with answering additional questions around licensing? If all is clear for you I'd like to close the issue.

[adamzest]

Hi. Slightly hijacking this, but we have just upgraded to 7.1 and are now, during our performance test runs, seeing the new 'warning' (which is actually logged as an error):

You are using IdentityServer in trial mode and have exceeded the trial threshold of 500 requests handled by IdentityServer. In a future version, you will need to restart the server or configure a license key to continue testing. For more information, please see https://docs.duendesoftware.com/trial-mode.

It seems the solution to this is:

You're also free to use your existing license in these environments and the client ids there won't count.

This doesn't seem like a great solution - sharing our production key all over our development environments. Is this really the right solution?

Thanks

[khalidabuhakmeh]

Hi @adamzest,

Thank you for sparking this conversation. We are still evaluating how to give folks flexibility in their development environments while abiding by the spirit of the purchased license.

Please help us better understand your perspective.

"This doesn't seem like a great solution - sharing our production key all over our development environments."

We view these as product keys. While they are issued to your organization and should be kept secret from third parties, we do not view the license key as critically sensitive information, such as your token signing keys.

If you feel this is still too sensitive to share in development environments, please let us know, and we can explore ways to provide more security around this information.

" during our performance test runs, seeing the new 'warning'"

What performance tests are you executing, and would a restart adversely affect your test suite?

We're also happy to hear about any proposed solutions that would work well for you and other IdentityServer customers.

[adamzest]

We treat the keys like 'secrets' and dont commit them to code and store them in a vault with, currently, zero exposure of those keys to anyone outside of the infrastructure team.

We view these as product keys. While they are issued to your organization and should be kept secret from third parties, we do not view the license key as critically sensitive information, such as your token signing keys.

its hard to simultaneously reconcile both 'should be kept secret from third parties' and whilst giving them to the wider audience. At the end of the day as long as we are not held liable if they keys leaked then we can live with sharing the keys more widely, it just seems like an anti pattern. Its good to at least understand that that is still acceptable within the scope of the upcoming licensing changes.

What performance tests are you executing, and would a restart adversely affect your test suite?

we are running Jmeter performance/stress tests on hundreds of users logging in over a short period of time - its not viable to restart the IDP during the test.

[khalidabuhakmeh]

Thanks for the clarifications; we appreciate them. You mentioned storing your license keys in a vault (assuming Azure KeyVault). That's perfect! You can load the license key at start-up and set it at run time. This assumes you're running similar security practices in your development, staging, and production environments and that your key vault is accessible by only the most trusted team members and administrators.

var keyVaultUrl = new Uri("https://<YourKeyVaultName>.vault.azure.net/"); 

var secretClient = new Azure.Security.KeyVault.Secrets.SecretClient(
    keyVaultUrl, 
    new Azure.Identity.DefaultAzureCredential()
);

KeyVaultSecret licenseKeySecret = secretClient.GetSecret("<YourSecretName>");
var licenseKey = licenseKeySecret.Value;

// Inject the secret (license key) into the IdentityServer configuration
services.AddIdentityServer(options =>
{
    options.LicenseKey = licenseKey;
})
.AddClientStore<ClientStore>()
.AddInMemoryIdentityResources(IdentityResources)
.AddInMemoryApiScopes(ApiScopes);

Regarding load testing, it is a scenario that we are aware of and will talk about more. We are evaluating a few options, but we haven't settled on a final approach yet. Before enabling rate-limiting features, we will inform and discuss with customers to find the solution that works best.

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

@adamzest Please let us know if your questions are answered. If so I'd like to close this.

[adamzest]

Well, yeah, as I said above, we already read our settings from the vault, so we're already doing that.

It doesn't change the fact I'm still going to have to give access to our production license key to people who didn't previously need it (by putting it in non production vaults to enable performance testing).

I can live with it it just seems a backwards step although I can understand your desire to ensure only licensed users are able to use Identity Server at volume.

[AndersAbel]

Thank you for sharing how this affects you. We are (as @khalidabuhakmeh mentioned above) evaluating how to best introduce the rate-limiting features and trying to understand how this will affect legitimate use cases for our customers. For now, there is only a log message written, which you can safely ignore if you run without a license key.

[stefanlyfegen]

Hello I do not know if this is correct thread but I need and answer. We have paid license but from the documents I can not understand how you see difference between test(dev) environments and production one (since we need to use license in lower environments). I do not want to waste license on dev environment if I use it there and later to need to buy new one.

[maartenba]

@stefanlyfegen License is only needed for production environments. You are free to use your production license in dev/test/qa environments if you'd like to get rid of the trial mode log entries in those.