IdentityServer
Open.IdentityServer and Duende IdentityServer comparison as of 1st June 2026.
We have spent the time to create a fair comparison. Duende's features are restricted by tier. Whereas Open.IdentityServer focuses on keeping the core platform open and free. We will still continue to offer paid components and priority support when you need it.
Product Comparison
| Feature | Open.IdentityServer | Duende Starter | Duende Business | Duende Enterprise | Duende Enterprise+ |
|---|---|---|---|---|---|
|
Cost per year
|
FREE | 1500 USD | 9000 USD | 20,000 USD | On Request |
|
Full featured OAuth 2 and certified OpenID Connect server implementation for ASP.NET Core
|
built on a fork of IdentityServer4, a certified OpenID Connect provider. Independent certification for this distribution is planned | Checked | Checked | Checked | Checked |
|
Implementation of most OAuth and OpenID Connect specifications and standards
|
Checked | Checked | Checked | Checked | Checked |
|
Number of supported external authentication providers
|
Unlimited | Unlimited | Unlimited | Unlimited | Unlimited |
|
Self-hosting: included unique token requestors (OAuth client IDs)
|
Unlimited | 2 | 10 | 30 | Contact Duende |
|
Redistribution: included unique token requestors
|
Unlimited | Contact Duende | Contact Duende | Contact Duende | Contact Duende |
|
Self-hosting: number of logical deployments
|
Unlimited | 1 | 1 | 2 | Contact Duende |
|
Redistribution: number of redistributions
|
Unlimited | Contact Duende | Contact Duende | Contact Duende | Contact Duende |
|
Support for unlimited token consumers (OAuth scopes)
|
Unlimited | 1 | 1 | 2 | Contact Duende |
|
Developer Support
|
Free and Paid Priority | Standard | Standard | Priority | Premium |
|
Architecture and Code Validation
|
Crossed | Crossed | Checked | Checked | Paid |
|
Dedicated Technical Account Manager
|
Crossed | Crossed | Crossed | Crossed | Checked |
|
Security notification service
|
Checked | Crossed | Crossed | Checked | Checked |
|
Built-in support for In-Memory, JSON file and EntityFramework-based configuration stores
|
Checked | Checked | Checked | Checked | Checked |
|
Built-in support for In-Memory and EntityFramework-based operational stores
|
Checked | Checked | Checked | Checked | Checked |
|
Support for RSA, RSA-PSS, EC, and X.509 signing keys
|
Checked | Checked | Checked | Checked | Checked |
|
Rich extensibility model
|
Checked | Checked | Checked | Checked | Checked |
|
Extensive auditing and logging capabilities, including OpenTelemetry support
|
Observability via IdentityServer4 events, OpenTelemetry support is planned | Checked | Checked | Checked | Checked |
|
Supports arbitrary user login workflows and authentication methods
|
Checked | Checked | Checked | Checked | Checked |
|
Supports same deployment environments as any ASP.NET Core application
|
Checked | Checked | Checked | Checked | Checked |
|
Automatic signing key management (rotation, secure storage, retirement)
|
Planned. Compatible with Duende key storage schema | Crossed | Checked | Checked | Checked |
|
Server-side sessions and distributed session coordination
|
Planned as a Core feature | Crossed | Checked | Checked | Checked |
|
Pushed Authorization Requests (PAR)
|
Planned as a Core feature | Crossed | Checked | Checked | Checked |
|
Dynamic Client Registration (DCR)
|
Planned as a Core feature | Crossed | Checked | Checked | Checked |
|
Multiple authorities
|
Checked | Crossed | Crossed | Checked | Checked |
|
Resource isolation (RFC 8707 Resource Indicators)
|
Checked | Crossed | Crossed | Checked | Checked |
|
Client-Initiated Backchannel Authentication (CIBA)
|
Crossed | Crossed | Crossed | Checked | Checked |
|
Dynamic loading/updating of external auth provider configuration
|
Yes, but with our Dynamic Authentions Component | Crossed | Crossed | Checked | Checked |
|
DPoP support
|
Crossed | Crossed | Crossed | Checked | Checked |
No infrastructure changes
Follow our guide to migrate from Duende using your existing configuration and operational stores