Showdown: Azure Active Directory B2C vs Duende IdentityServer
Authentication is both ubiquitous and hard. Thankfully there are several free and commercial solutions available to help implement authentication for various applications. In this post I will compare two of those solutions: Azure Active Directory B2C and Duende IdentityServer.
Let's start with a quick overview:
The Contestants
Azure Active Directory B2C
Azure Active Directory B2C (AD B2C) is a SaaS identity solution. Microsoft controls 100% of the source code and allows you to customize it using a specific set of configuration options. The result is that it only takes a few minutes to get running with a full suite of enterprise-grade security features maintained by Microsoft. However, it may take significant effort to customize it if what you need is not provided out-of-the-box.
Microsoft describes their product as, "a customer identity access management (CIAM) solution that enables you to sign up and sign in your customers into your apps and APIs."
In order to use Azure Active Directory B2C you must have an Azure account, click a few buttons, and enter in a few short details (name, where you want it to be geographically located, etc...). All of the initial set up is accomplished via a user-interface, although most of the advanced customization is handled by editing XML "policy" files.
Duende IdentityServer
Duende IdentityServer is in essence a code library that developers can implement to quickly build their own custom authorization solution. Since the developer has full control over the appliation code they can customize it however they like. However, they also have full responsibility for the infrastructure, performance, and security of the application.
Duende IdentityServer advertises itself as, "The most flexible and standards-compliant OpenID Connect and OAuth 2.0 framework for ASP.NET Core."
In order to use Duende IdentityServer, you must build your own application and include the Duende libraries inside it. They have a number of quick-start templates and good documentation to help you get your solution running smoothly in a surprisingly short amount of time.
Comparison Criteria
Before comparing these two solutions, we must first determine how they will be compared. I have broken this showdown into the following categories:
- Implementation Time
- Development Workflow
- Documentation and Technical Expertise
- Cost
- Security
- Multi-Factor Authentication
- Performance
- Data Access
- Customization
- End-User Experience
- Integrations
- Administrator Experience
The Categories
Implementation Time
AD B2C: AD B2C has an incredible time to first value. You can get a fully-functional authorization solution running in about 5 minutes. However, while AD B2C has a great time-to-first-value it is difficult to customize with poor documentation on how to accomplish advanced tasks. The result is that you can get an authentication solution running quickly but it will take a lot of development time to reach the final configuration of your authentication solution.
Duende IdentityServer: Duende IdentityServer also has some quick-start solutions available which only take a few minutes to set up and run locally once you know how to do it. When deploying to the cloud, however, there are a number of other infrastructure components that you will have to configure before you are able to gain value from the Duende solution - which increases the time-to-first-value to around 30 minutes or longer (which is still impressive all things considered). However, once you have your initial setup completed you have 100% control over the solution - allowing you to reach your "final configuration" much quicker.
Winner: For simple setup and standard configuration for a new product AD B2C is the clear winner. For custom requirements, a complex setup, or migration to/from a different solution Duende will allow you to complete your customizations quicker.
Development Workflow
AD B2C: According to their published best-practices, you should have a separate AD B2C Tenant for each environment (eg: development, staging, testing, production, ...). Of particular interest is your development environment, where you will need to authenticate against a service hosted in Azure - which completely negates the ability to test your solution offline. Furthermore, according to their documentation, it may take up to 2 hours for updates to a tenant to take affect. For some companies 2 hours of downtime may be acceptable but I'm guessing that most people, like me, find the possibility of a 2-hour downtime to be unacceptable.
Duende IdentityServer: Because you are writing your own application, you can use your normal development workflow for authentication - including running your authentication server locally on your computer during development.
Winner: Duende IdentityServer's development workflow is the hands-down winner here.
Documentation and Technical Expertise
AD B2C: For AD B2C you do not have to understand OAuth or OpenID Connect very well but you will need to dedicate a fair amount of time to understanding how to utilize and customize the software. Unfortunately the Microsoft documentation on this topic appears to be well-guarded. For the majority of advanced customization operations their recommendation appears to be to download one of their XML "policies" and modify it to suit your needs, which is easy enough for certain workflows but good luck trying to implement anything truly custom.
Duende IdentityServer: To implement Duende IdentityServer, you first need a sufficient working knowledge of .NET Core. Since you are working directly with the authentication code it also helps to be sufficiently knowledgeable about how OAuth and OpenID Connect work. However, once you understand those concepts the Duende functionality and documentation are reasonably helpful and you already have all of the tools you need to customize to your heart's content.
Winner: As a developer, I would much rather take time becoming familiar with code and industry-standard specifications instead of software-specific XML schemas. Also the Duende documentation is more accessible. So for me the clear winner here is Duende IdentityServer.
Cost
AD B2C: I'm still trying to figure out the AD B2C pricing model. According to the documentation it is essentially free to use for up to 50,000 monthly active users (MAU) with the exception that you will pay $0.03 per "SMS/Phone-based multi-factor authentication attempt" (successful or unsuccessful). After 50k users the price goes up to $0.00325/MAU, which I believe excludes the first 50k users. However I have also seen conflicting documentation indicating that it may cost as much as $6/user.
Duende IdentityServer: In addition to the infrastructure cost (networking, web application, database, etc...) you have to pay for a license to use the Duende IdentityServer libraries. Their "Standard License Pricing" starts at $1500/year with certain limitations (5 client applications and a single deployment), although they are free for development, testing, and personal projects, and they offer a free community edition license for small businesses that qualify. Additionally, if you want to implement multi-factor authentication you will need to integrate with one or more additional providers which are likely to come with their own (hopefully low) fees.
Winner: AD B2C is likely to be cheaper overall for small business, even if you qualify for Duende's free community edition licence. However, if you end up sending a lot of text messages and/or have a large number of users (well over 50k anyways) then you will need to do the math for yourself.
Security
AD B2C: This is where AD B2C really shines. It is built for scalable enterprise-grade security and is able to draw on telemetry from the entire Microsoft ecosystem for advanced threat protection that you can only get from a big provider like Microsoft. This includes protection for everything from DDOS attacks, compromised credentials, suspected malicious actors, dictionary attacks, spray attacks, malformed requests, token duplication, and more.
Duende IdentityServer: Duende IdentityServer implements the OAuth 2.0 and OpenID Connect 1.0 specs, including their security recommendations. It also uses high-quality industry libraries and industry best practices where possible. However, the resources they are able to provide are limited to what your own application can handle on its own and even then the implementation details are largely up to you as a software developer. Out of the box the security should be sufficient for many small business but you will have to work very hard to even come close to the protection offered by AD B2C.
Winner: AD B2C is the hands-down winner for their enterprise-level security features.
Multi-Factor Authentication (MFA)
AD B2C: AD B2C has both email verification and MFA directly built-in. You will not have to write a single line of code to implement these features and you will also not have to integrate with any other third-party providers. The simplicity of this arrangement is attractive but the down-side is that you cannot take advantage of existing or novel solutions for MFA (eg: if you already utilize a third-party provider for sending text messages and emails).
Duende IdentityServer: Because you have complete control over your application code, you can implement any MFA solutions you want. The obvious downside is that if you want MFA then you will HAVE to implement it yourself. This means that you will have to provide your own email, SMS, and other related solutions.
Winner: Although the flexibility of Duende IdentityServer is attractive, the simplicity of the AD B2C MFA solution makes it the winner in this category for me.
Performance
AD B2C: AD B2C is built with enterprise-grade performance in mind. They manage their own global network, distributed databases, load balanced servers, messaging services, and everything in-between. With the possible exception of rate-limiting, authentication using AD B2C should never be a bottleneck for your application.
Duende IdentityServer: You are responsible for your own architecture, which means that you can allocate as many or as few resources to it as you want. This may occasionally work in your favor but is more likely to go unnoticed until it becomes an issue.
Winner: Again, the simplicity and reliability of the AD B2C solution make it the winner in this category.
Data Access
AD B2C: You do not have access to the database, or even to see how the database is structured (although you could probably guess). The only ways available for you to access your own data will be through the Azure portal or the Microsoft Graph API. This also means that migrating your users to or from AD B2C is a challenging task. On the positive side, you are not responsible for the security of your database - which is nice when it comes to storing and retrieving sensitive information like passwords.
Duende IdentityServer: Your users are stored in your own database. Duende IdentityServer does not really care what kind of database, what other data is stored there, or who has access to it. This is both a benefit and a risk which you will have to balance against your own requirements and priorities. One of the benefits is that it makes it significantly easier to migrate your users to or from Duende IdentityServer.
Winner: For me, having direct access to the database as well as the ability to structure the data however I want make Duende IdentityServer the preferable solution as long as I am confident in the security precautions implemented in both the database and in the authorization application. For you the equation could be reversed entirely - you will have to weigh the pros and cons of maintaining your own user database for yourself.
Customization
AD B2C: You have about five customization options to choose from before it gets really difficult. The documentation is virtually non-existent and even then it only enables features that the Microsoft team explicitly supports.
Duende IdentityServer: You have full control over your authentication application, so you can customize it however you'd like.
Winner: Duende IdentityServer is the clear winner when it comes to customization.
End-User Experience
AD B2C: Microsoft has built several clean and clear templates for the flows that they support. When a user signs in using AD B2C they will be presented with a trustworthy interface that just works. I do not know how difficult or easy it is for users to view and/or revoke access to third-party clients from the AD B2C interfaces.
Duende IdentityServer: The quick-start code that Duende provides is faily standard and clean. As you customize it, however, you may have to put more effort into organizing and styling it in order to keep it simple and effective. I do not know how difficult or easy it is for users to view and/or revoke access to third-party clients from the default Duende IdentityServer interfaces.
Winner: When using the default configuration, I would give the slight edge here to AD B2C. However, due to the ability to support more advanced workflows and customize the interfaces I would say that Duende IdentityServer is the winner when using a more complicated configuration.
Integrations
AD B2C: AD B2C provides pre-built integrations with a good number of third-party identity providers, as well as the ability to integrate with any other OpenID provider using a custom configuration. In order to integrate with a third-party identity provider you have to include some inflexible details about your application (endpoints etc...) which you may or may not know at the time. AD B2C can also be federated as an IdentityProvider for other applications, although this may take some extra setup to accomplish.
Duende IdentityServer: Duende provides excellent documentation on how to integrate with any other OpenID Connect provider, which is actually easier to accomplish than AD B2C's solution! It can also be easily federated out-of-the-box for consumption by other third-party applications. Furthermore, you have complete visibility into how the integrations are accomplished and can place whatever additional configuration, restrictions, or capabilities that you want into those integrations.
Winner: Both solutions make it easy to integreate with third-party identity providers and clients, but the flexility, control, built-in functions, and documentation provided by Duende IdentityServer make it the winner in my eyes.
Administrator Experience
AD B2C: You are stuck with the administrator interfaces built into the Azure portal. You can accomplish a lot through these interfaces but you may not find them the most appealing or effective for your use-cases. The good news is that you don't have to put any effort at all into them - they are just there.
Duende IdentityServer: Again, you are in complete control here. You can build whatever administrator interfaces you would like, although I would recommend starting with their pre-built interfaces and customizing them from there. This may take more effort, though, and you will have to decide if you want to prioritize development on an administrator interface or building the client that your authentication application is supposed to serve.
Winner: This is a toss-up and I could honestly go either way. If I have the time to customize the administrator experience I would prefer Duende IdentityServer but if I am just interested in getting something running quickly I would prefer AD B2C.
The Conclusion
If you need to get a simple, reliable, and secure solution up and running quickly then you should definitely go with AD B2C. The cost, security, performance, built-in features, and implementation time for a simple setup are all impressive.
If you need a custom solution or want control of your code or your database then you should go with Duende IdentityServer. These are features that AD B2C simply cannot offer.
For everyone else, you will need to weigh the pros and cons of both solutions. To review these are:
- Implementation Time: AD B2C for a simple setup, Duende IdentityServer for a custom setup
- Development Workflow: Duende IdentityServer
- Documentation and Technical Expertise: Duende IdentityServer
- Cost: AD B2C (most of the time)
- Security: AD B2C
- Multi-Factor Authentication: AD B2C
- Performance: AD B2C
- Data Access: Duende IdentityServer
- Customization: Duende IdentityServer
- End-User Experience: AD B2C for the default configuration, Duende IdentityServer for customization
- Integrations: Duende IdentityServer
- Administrator Experience: Tie (for me)