MySqlConnector VS IdentityServer

MySqlConnector (the most popular .NET library for MySQL, and the one that I authored) has supported protocol compression for many years: https://github.com/mysql-net/MySqlConnector/issues/31.

> I kept technical notes about the protocol, to serve as a future reference for myself and for other developers.

As someone who's written a MySQL client (in C#: https://github.com/mysql-net/MySqlConnector), I'd be very interested to see your notes. Are they available anywhere, or were they the confidential IP of your client?

> Unsurprisingly, bugs were uncovered every time a new client was added.

I've faced the same thing, from a client perspective. Every time a new server is tested (MySQL, MariaDB, Amazon Aurora, Azure Database for MySQL, etc.), I find slightly different interpretations of the protocol and have to accommodate them.

I have had the pleasure of contributing to a couple different networked drivers with very talented maintainers that I like to use as references.

One supports a wide array of Framework versions and has both Sync and Async I/O, as it must to implement the ADO.NET database driver interfaces. Reading the internals really highlight the way that .NET has evolved over the years and what must be done in each target version to maximize performance:

https://github.com/mysql-net/MySqlConnector

The other supports .NET 6 only with Async I/O only. This support policy seems to be the way that "modern" .NET development is headed, as .NET 6 will be the floor for LTS .NET (formerly .NET Core) releases in a few months. Async APIs only greatly simplify development, and make it simpler to remain performant when targeting WASM.

https://github.com/Cysharp/AlterNats

As a library maintainer, one thing I often wonder about is how to indicate .NET version support. One option would be for the major version of the library to track the major version of .NET, so if I were to publish a new library today then start with .NET 6 support and start with version number 6.0.0 instead of 1.0.0. This would limit the library to only making breaking changes when the .NET version changes though.

Use the MySqlConnector to load the data into a temp table using the bulk copy API. Both of my libraries implement the IDataReader (DbDataReader) interface, so they can be directly used with the bulk copy APIs. Then insert into the final table from the temp table filtering out rows that are already in the final table.

I'm the author of what you might call the "new" MySQL ADO.NET library: https://github.com/mysql-net/MySqlConnector

I agree with your impression that developers of the other library don't seem to be "plugged in to" the .NET ecosystem. As an independent developer (not affiliated with Oracle or Microsoft), I've been able to influence GitHub PRs that shape the ADO.NET API for .NET 6.0, just by showing up and contributing; I haven't seen anyone from the Oracle MySQL team participating. Meanwhile, they violate basic principles of the .NET Framework Design Guidelines that have been around for over a decade (https://docs.microsoft.com/en-us/dotnet/standard/design-guid...), which makes their library feel alien to a .NET programmer (regardless of the quality issues it might have).

e.g. this community effort of a MySQL ADO.NET provider is miles ahead of Oracle's driver.

Its deprecated in favor of Duende Identityserver which introduced a license model.

Tokens usually have a lifetime and they are separate from the user's authentication principals like username and password. Unless you are rolling your own form of token provider (not something that would be recommended) the token creation is handled for you. Take a look at https://identityserver4.readthedocs.io/en/latest/ or if your organization makes under 1M in income a year the free version of what Identity Server progressed into https://duendesoftware.com/products/identityserver

I think Duende (Identity Server) handled the situation pretty well.

https://duendesoftware.com/products/identityserver

> Standard License Pricing

Thanks for your message. No, the idea was not to re-implement OAuth nor OpenID stuff. What I had in mind for the authentication thingy was something like this: https://laravel.com/docs/9.x/sanctum. If we want to go the OAuth/OpenID way, in .NET we have this one: https://github.com/DuendeSoftware/IdentityServer.

> As you said, there are plenty of local options that you only need to run.

I think managed databases are a good analogy here. While I might run my own PostgreSQL/MariaDB instance, many out there won't be overjoyed at the idea of actually needing to run and manage the damned thing, as well as set up some kind of alerting and handling the need to eventually scale it up.

> It also has the largest risk of compromise and data leaking from any service you may use...

PII is definitely a big concern, even if something like password hashes aren't too useful on their own (provided that they're salted), though in cases like that it might actually make a lot of sense to utilize a widely used and tested solution that's specialized for this particular use case.

In many cases, thousands of people across the globe will be able to develop something and squash any bugs in it better than you might be able to do individually or with your own team, though there might be a few exceptions out there. Auth is probably not one of the cases where you want to write code without a lot of eyes on it.

> ...the largest amount of potential lock-in...

This is debatable: standards like OAuth2 and OIDC technically make many of the solutions and libraries way more pluggable and make it easier to choose between various implementations, depending on your needs.

Of course, something like Keycloak also has its own API (as do many of the cloud offerings) so if you build too much automation around a particular implementation, then that advantage partially goes out the window.

> ...and the least need for integration.

I'm not sure about this, it probably depends on your architecture. If you have a monolithic web app, then you probably don't need a separate turnkey/SaaS solution, whereas if you have an ever growing number of services, whilst you want to manage authentication and accounts against all of them centrally, then something like Keycloak (or one of the cloud alternatives) become way more lucrative.

That said, I'd still opt for self-hostable options whenever possible, albeit I also don't trust cloud based password managers and such, preferring something like KeePass instead. I've probably just come to a different conclusion in regards to usability/responsibility/features/security than some other people.

Sadly, there aren't that many good options out there at the moment, apart from Keycloak. For example, IdentityServer is promising, but went in a commercial direction: https://duendesoftware.com/products/identityserver#pricing

He's referring to IdentityServer 3/4, which was open sourced, and was not owned by Microsoft. That 3rd party is commercializing their work (and to be fair, it's a lot of work) as https://duendesoftware.com/products/identityserver , and has a different commercial licensing model.

https://github.com/DuendeSoftware/IdentityServer/blob/main/L... does not seem to square with any definition of "open source" I'm familiar with, and that goes double for having an in-repo file that just says "read this unversioned pdf on some other site"

I would not recommend it. There is a server named Duende identity server which you can host locally.