Replacing Duende IdentityServer with Microsoft Identity: A Cost-Effective Solution with Custom OpenID Connect Implementation

Our project faced a significant challenge: the rising costs of maintaining our identity server. We were using IdentityServer4, but after Duende acquired and rebranded it as Duende IdentityServer and turned it into a commercial, source‑available platform, requiring paid licensing for production use, the costs became unsustainable. We needed a more cost-effective solution without compromising security or user experience. That's when we decided to migrate to Microsoft Identity.

The transition to Microsoft Identity was surprisingly smooth. We were able to migrate our users' credentials and roles without any major issues. Users could still log in with their existing passwords, and their roles remained intact. This seamless migration minimized disruption and allowed us to focus on other aspects of the project.

Implementing custom OpenID Connect was a more complex endeavor. Duende IdentityServer came with its own OpenID middleware, but Microsoft Identity required us to implement it ourselves. This involved navigating the intricacies of PKCE validation and aligning data protection keys.

One of the biggest hurdles was aligning the data protection keys. Duende IdentityServer allowed for custom signing and encryption certificates, which wasn't immediately obvious. We discovered that using the machine's default data protection keys for OpenID Connect's certificates resolved the issue. This was challenging to debug due to its location within the OpenIddict library's middleware. After two days of intense effort, we achieved successful token generation.

The migration to Microsoft Identity yielded significant benefits. First and foremost, we achieved substantial cost savings by eliminating the need for a third-party identity provider. We also gained greater control over our user data, as it now resided within our own systems. Additionally, Microsoft Identity offered enhanced customizability, allowing us to tailor the authentication process to our specific requirements.

Replacing Duende IdentityServer with Microsoft Identity was a challenging but ultimately rewarding experience. We successfully migrated our users, implemented custom OpenID Connect, and achieved significant cost savings. This migration not only improved our project's efficiency but also enhanced its security and scalability. We encourage other developers facing similar challenges to consider Microsoft Identity as a viable and cost-effective solution.