365 Days of Passport

Brian Pontarelli

365-passport-daysIt’s the first day back in the office in 2018 and everyone at Inversoft is on a mission. We are using the entire year of 2018 to solidify Passport as the premier solution for customer identity and access management (CIAM). We are calling this effort “365 Days of Passport”.

During the year we will be focusing on 4 main areas:

  • Being developer focused
  • Building features that matter
  • Acquiring awesome new customers
  • Success without investment

The first of these areas is an expansion on what we have always done. Starting with the launch of CleanSpeak in 2008, we realized that developers were a core component to our success. Developers are the ones that install and integrate our software. They are responsible for keeping the software running and usable. They ensure that the rest of the business (moderators, community managers, admins, etc) can leverage the software to be more productive.

In 2018, we are going to double down on these efforts. We will be improving our documentation, writing more examples and tutorials, writing more technical blog posts (on and about topics unrelated to our products), more speaking engagements, and a whole lot more nerdery.
The next area is focusing on building features that matter to our customers. We’ve heard from many people that CIAM solutions are often lacking specific features or have features they’ll never use. Rather than building every feature possible, we are going to get feedback from developers and build what they actually need. If you have a feature you need, let us know by emailing us at feedback@inversoft.com.

Our next focus is on acquiring awesome new customers. We value open, honest and straightforward communication with our customers. We value feedback and collaboration. We aren’t racing to the bottom or looking to simply acquire hundreds customers to pad quarterly reports. We want to deliver solutions to companies that truly impact their business and we want to ensure that customers want to work with us.

And finally, bootstrapping is part of our DNA at Inversoft. Ever since I quit my day-job back in 2007 after acquiring my first enterprise customer, I’ve felt that I could build something great without taking outside money. Every year I’ve built on this idea and tried to help other entrepreneurs do the same.

The CIAM space is a little chaotic right now though. Companies are raising massive rounds while others are being acquired. Providers have killed entire APIs and kicked everyone off their products post acquisition. Startups are appearing and disappear as quickly as they arrived.

Inversoft has been in business for 10 years. We have great customers and continue to grow. We’ve proven that you can build a world-class business without taking a single dime from anyone. We now want to prove this is possible even in a crowded and heavily funded space like CIAM. We’re going to do it in 2018.

It’s going to be a crazy year, but we are looking forward to it.

Stay tuned for regular updates about how our plans are progressing.

Revoking JWTs

Brian Pontarelli

I have been talking with developers about JSON Web Tokens (JWTs) recently and a one question keeps coming up: “How do I revoke a JWT?”

If you poke around online, you’ll find that the most common answers are:

  • Set the duration of the JWT to a short period (a few minutes)
  • Implement complicated blacklisting techniques

There is not a simple solution because JWTs are designed to be portable, decoupled, identities. Once you authenticate against an identity provider (IdP) and get back a JWT, you don’t need to ask the IdP if the JWT is valid. This is particularly powerful when you use RSA public/private key signing. The IdP signs the JWT using the private key and then any service that has the public key can verify the integrity of the JWT.

Here’s a diagram that illustrates this architecture:

jwts

The Todo Backend can use the JWT and the public key to verify the JWT and then pull the user’s id (in this case the subject) out of the JWT. The Todo Backend can then use the user’s id to perform operations on that user’s data. However, because the Todo Backend isn’t verifying the JWT with the IdP, it has no idea if an administrator has logged into the IdP and locked or deleted that user’s account. Continue reading

Identity Management: Get Your Head out of the Cloud

Kelly Strain

cloud

Stormpath customers are experiencing first hand the repercussions of using a multi-tenant cloud hosted API. The company was acquired and users have to get data out, fast. By 8/17/2017 to be exact.

A recent article by ProgrammableWeb discusses the dangers of using third-party APIs, however they fail to mention ways to avoid this danger. The answer is not to stop using cloud APIs, nor is it to only select API’s from tech giants like Amazon, Google or Microsoft. Before choosing your identity and user management provider consider the deployment options.

On-Premise

Despite increasing cloud popularity, many companies still prefer (or require) an on-premise solutions.

Regulatory Requirements

Certain organizations face regulatory requirements that demand an on-premise solution. Regulatory controls and legal requirements vary depending on the industry, but many companies fall into this category. A third-party cloud vendor may not fit the compliance requirements for a particular organization within the finance or pharmaceutical sector.

Control

An on-premise solution can insulate you from issues Stormpath customers are now faced with. By installing the software on your servers (real or cloud-based) you gain control over:

  • User data
  • Access
  • Security
  • Upgrades

If the company shuts down or is acquired, you can likely continue using software since it is running on your servers. If this is not the case, the user data is yours and can easily be removed at your discretion.

Cloud

How do you protect your data? How do you ensure that you are the only one seeing your user data?

Multi-Tenant vs. Single-Tenant

Multi-tenant is an architecture where multiple companies store their data within the same instance. With single-tenant, each company has their own individual instance. With a single-tenant solution you receive maximum privacy. The risk of another business accidentally receiving data that doesn’t belong to them is eliminated. Each customer’s user data is separate and secure.

When considering cloud solutions, it is always important to prepare for the worst-case scenario. You should think about how you will get your data out of the cloud, before you ever put it in there.  In the event of an API shutdown, data recovery is much easier when each customer’s data is isolated in a single-tenant cloud.

Flexible Hosting (with a pitch)

Passport offers on-premise or single tenant cloud hosting. With these options, you have the ability to choose which deployment best meets your business or application needs. In addition, you have the flexibility to change your mind down the road.

Start Migrating from Stormpath to Passport today. Or sign up for a free Passport trial.

Stormpath has been acquired by Okta

Kelly Strain

stormpath-passport-fb_720

What we know

Stormpath has been acquired by Okta.

  • The Stormpath APIs will remain in service until August 17, 2017 at noon PST. On that date and time, Stormpath APIs will be shut down.
  • The Stormpath SDKs will be in maintenance mode until August 17, 2017 when they will be decommissioned.
  • Stormpath users will be able to migrate their data into Okta, and may also export their Stormpath data to use as desired.

Current Stormpath users must migrate – whether it be to Okta or a different provider altogether. We understand this is a challenge, a challenge you most likely did not see coming in the near future.

You have 6 months to choose a provider that best meets your business needs, export existing users and be up and running with minimal end user disruption. We are here to help. Continue reading