Search code examples
c#licensingadd-in

Authenticating & Licensing my Add-in program

I have created an Addin for a business program that I want to sell to customers based on a per year subscription. I have been thinking hard, to no avail, on what is the best way to authenticate my addin in a safe & convenient way.

Requirements

  • Easy to set a new license for a client, no code changing
  • Remote updating of the license
  • Customers are not hackers, but is should not be easy to crack

Environment

  • The Business Program runs on a server, all users have a click once c# client. The addin sits in the client.
  • I can read global variables from the client like site name, which is unique for each instance and not editable by customers and also the date (so no worrying customers will change their date settings)
  • I can communicate with my own server, where I could store License end dates

Concerns

  • If I use my server to daily authenticate and it is not reachable, or they block the IP...
  • When I do a request from the client to my server for the enddate, this could be altered with, but how to encrypt it effectively between the two systems, without a whole private / public key setup?

I know this is a broad question, but I also need broad answers on the different aspects involved in this. Can someone please guide me on what would be a good setup, or direct me to a site describing this? One would expect this to be quite typical.. I cannot find anything.

Solution

  • The problem with multiple attempts/offline work can be solved for example by issuing a token ("temporary" key) for the addin's request which is valid for a limited time (say, 1 week). So user gets a "grace period" of 1 week, when he can work "offline". if within this period the addin will not be able to connect to the internet to get a renewed token then it blocks itself until it gets a new token. Example - office 365 with "grace period" of 1 month.

    I.e. when possible, the addin sends to the license server a request containing some unique user id (like application url you mentioned, or whatever uniquely identifies your client), the server searches your license database and sends back an (encrypted) token containing license end date and required token refresh date (current server date + 1 week)

    To encrypt, I think you should go for the "private/public key setup".. Why do you want to avoid this - it seems to make perfect sense, and is not that hard to implement in .NET for example. I.e. with private/public keys you can at least ensure nobody will be able to "emulate" your server, as long as you keep your private key secret on your license server.

    Also, please note that probably nobody is going to crack encrypted communication, when it is much easier to crack the addin itself (it's a .NET code, correct?). I think this concern may not be addressed, and it might be the biggest one. I.e. the malicious user can just remove the license check in your addin's code, and that's it. But anyways, this assumes the the user has at least some experience in cracking program code.

    One more consideration - if you don't plan to sell the addin yourself (like, process customer orders, credit cards, do fraud check, etc, etc), you may be better off choosing some "eCommerce" partner company which specializes in selling software online, like paypro, avangate, bluesnap, 2checkout, etc. It may already have a number of pre-defined (fixed) licensing mechanisms/options you choose from.