[WA]

Why? Honestly, how can you "outsource" such a vital part of your web app to a third party? Not only is this a privacy disaster but also, if this user service goes down or has a temporary downtime, your own business is effectively unusable.

I understand that it makes sense to not write these types of user functions and management things over and over again. The solution however, is not a SaaS, but a library or a little framework. And from what I remember, major Web development frameworks offer exactly these types of functionality.

I don't want to be a downer and you guys probably spend a lot of time on the product, but from my perspective, any business owner using a third party to handle user data acts irresponsibly. You OWE it to your users to keep their data as tight and as centralized in one spot as possible – a spot only you and employees have access to and servers only you rented and have access to and not a third party.

I'd even rather use Wordpress as a basic user management platform than use a third party service. This way, it is at least fully under my control and I'm the only one responsible if things get broken or data gets stolen.

[aytekin]

One possible use case: Let's say you are building a new app and you don't know if it will be successful. At this point you are supposed to be working on the core. You are supposed to be talking with the users as soon as possible. You are not supposed to spend your time on things that don't matter such as registration, email delivery, forgot password.

If the app becomes successful you can always implement these things in house later.

[adrinavarro]

Right. So instead of working in creating a user system, you integrate your core to another system.

Or you could, well, let's say, use a library or framework and spare you the work of integration too!

[camus]

Please , in every languages there are a tons of libraries dealing with these stuffs, Starter projects with these functionalities ...

    At this point you are supposed to be working on the core

[UK-AL]

Invoicing, Price Plans and Payment. These are not normally built in. Basic user management is, but not those things.

[jumpbug]

I don't have a dog in this fight, but sometimes, companies are left with no other solutions. We had some websites hosted with Wordpress VIP. Because of their full page caching and just general restrictions, creating a login and user registration system like we wanted was not possible. We had to use a 3rd party hosted solutions that loaded with javascript(we used Gigya). Before that, I thought exactly as you do.

There is a reason Gigya just raised 25mm more dollars. Granted, they do more than just user login as a service.

[sologoub]

Gigya looks to be a lot closer to a DMP in an advertising world than a SaaS login service. They help getting visitors to identify themselves, that's a completely different positioning and feature set.

Knowing my audience and being able to monetize that is not the same as managing billing.

That said, it does sound kind of interesting, but from my own experience, I'd probably choose to build payments and billing myself.

[typerandom]

OP here.

Exactly because of this reason, you should use us. We have built a low-latency HA platform. And it's our core business. This means that we will do it the best way possible.

I can understand your concerns, but you could try us out on a smaller project to begin with. Or wait until we launch our licensed version which will allow you to install the system in your own environment. I.e. keeping the data safe with you and under your control :)

But it might cost a little bit more than $9 :)

[druiid]

Honestly HA doesn't really tell anyone anything about what would be my bigger concern... security of the platform.

What kinds of IDS solution do you currently have in place for starters? Are you using a software or hardware IDS? How are you doing monitoring of the IDS logs and reporting?

Have you done penetration tests beyond some sort of SaaS utility and hired a third party company to run them with a skilled analyst? How are you sanitizing input from external applications as you have to assume the incoming requests are suspect, etc.

[CaveTech]

Being marketed as a HA management platform doesn't really help me... If my server isn't stable enough to handle user management, it sure isn't stable enough to handle my actual service.

[bmillipede]

Because we need can spend that energy on product development. Once your product takes off, we can migrate. But a service such as this (I use dailycred.com ) is very useful for MVPs.

[read]

Great job guys! I have a feature request: is it possible to also save private keys through your service?

I would like to run Javascript on the client that gets a user's private key from you, and decrypts their data on the client.

Do you have thoughts for something like this?

[7952]

I do see the appeal of this kind of service. I understand enough about security to know that it is diffiult to get right.

The library approach that I have tried with things like django etc. tend to need plugins for a lot of use cases, and I do not understand what pieces of code are intereactig with each other which is a big red flag. More complex SSO systems seem massively overcomplicated and difficult to configure.

I want something with the simplicity and definitiveness of an apache htpasswd file with a freindly user interface and assurances about security/hashing etc.

[UK-AL]

You could say that about ANY cloud product though.

[chrismonsanto]

Yes, you could.

If it's apart of my service, I want it on my servers.

[nmcfarl]

Which is an expensive way to run a company.

Very few startup start with their own server rooms, because part of the "failing fast" is failing cheap. And if you are making infrastructure investments before you find product market fit - well you aren't failing cheap.

I do think there is inherent value in controlling your whole stack, and running all things on your own servers, but I think this is a bit of a luxury most young companies can't afford.

[chrismonsanto]

I don't know anything about 'failing fast' or other startup methodologies (I'm here for the hacker part of this community, not the startup part).

Is this product designed specifically for startups? Is it intended to be removed later when you have 'found product market fit'? Isn't it more expensive to be locked in to this platform, which you don't have the source to, and can't modify if it doesn't 100% meet your needs?

[UK-AL]

" can't modify if it doesn't 100% meet your needs?" And its even more expensive to spend developer time doing it, then finding out no one wants your product.

That's what meant by failing fast. Find a quick way to validate your product in the market, then fail. Don't spend ages working on a product that will never work.

[jonahx]

I don't understand this comment.

On digitalocean you can get 4G RAM for 40/month, 8G for 80. Running nginx and your favorite backend of choice, you will be able to handle any traffic your startup is getting. If you can't, you are already so successful that paying more won't matter....

[nmcfarl]

This is a simple enough misunderstanding

I don't think that you own a digital ocean or ec2 instance - you rent them the same way you are renting the service this thread talking about. Given that chrismonsanto, is taking an even more hard line approach to controlling his stack than I do, I'm assuming he agrees (I know - dangerous).

When I talk about my servers I'm talking about things sitting in my racks (possibly in my server room), that I can rip components out of and upgrade. I'm talking about very expensive things, if not in terms of purchase price, certainly in terms of care and maintenance.

--

And to tie it back up to my other comment, I think there is value in owning your own servers, and in coding your stack from top to bottom, and having no external dependencies. But I think these are both very expensive choices - and the kinds of choices, most startups don't have the time/money for.

[chrismonsanto]

> Given that chrismonsanto, is taking an even more hard line approach to controlling his stack than I do, I'm assuming he agrees (I know - dangerous).

I'm actually OK with using something like EC2, because I control what runs on it. If I feel I can't trust EC2, or that it is too expensive, I can purchase my own hardware and move my stack to that. However, if I outsource my user management, I imagine the interfaces will be proprietary, and I will have to tear up my stack quite a bit to switch. I don't like that risk.

> I think there is value ... in coding your stack from top to bottom, and having no external dependencies

I'm also OK with having dependencies on other people's work, I just want the source code available so I can fix up things if necessary. I don't even require that the software is 'open source' or 'free software', since I don't plan to redistribute my changes. I do currently have one component in my stack that is proprietary (with source) and I have very much appreciated the ability to fix up things that didn't fully integrate with the rest of my service.

[jonahx]

Ah, okay I get it. Thanks for explaining.

Of course, there are levels of dependence, and I think hosting on amazon or DO represents a much, much smaller risk than outsourcing your user management to a startup (or even a well-established company, for that matter).

[stephenr]

Exactly. His point applies to those other cloud services too.

[mehdim]

This is why OAuth.io is open source, and you can choose to have a commercial license if you want to avoid GPL.