A while ago at Newstex we decided to integrate an OpenID compatible solution to handle login to our internal applications, as well as our client-facing applications. After doing a bit of research, I stumbled on Janrain, which proved to make integrating several different authentication providers into one simple login incredibly easy. I looked elsewhere but found not many other options for being able to handle Twitter, Google, Facebook, and even generic OpenID logins all in one place. Janrain seemed to be the perfect solution for us, flexible enough to support a lot of different authentication mechanisms, yet one simple API to integrate.
I quickly jumped on this opportunity and integrated it into BotoWeb, enabling for not only our own applications, but anyone else that used my framework. Janrain seemed to solve all of our issues, I no longer had to worry about users not remembering their passwords, because it wasn't our system that handled the password resets, or even how they logged in. When Google changed authentication for Apps, it simply worked because Janrain took care of all the individual provider authentication details, and we got back the relevant details automatically.
We'd noticed a few times earlier when Janrain had issues, but these outages never lasted more then a few minutes. We'd been paying for an enterprise version of access, giving us direct access to the Janrain team so we could get 24/7 support if we had any issues. We paid a significant premium for this, about $1,000/year. The average plan for Janrain is only about $100/year, so we were paying 10x the amount of a standard user, not to mention the free users. We didn't need more features, we didn't need things complex, we just wanted to make sure it worked.
Last year we received a notice in December stating that our account details had been "lost" for a while apparently in the transition to a new payment structure, and we had an invoice due from July that we didn't pay (because they forgot to send it to us). They were mostly civil with us, it was their fault they lost the invoice and they hadn't disabled our service, so we promptly paid the invoice and everything turned out ok.
This year, on the same "renewal date", I started receiving word from the employees at Newstex that they couldn't log into our systems; our Janrain service was completely shut off. When I went into the portal, the applications had been completely deleted. No note, no email, nothing saying anything was due. We checked our spam folders, anything that could have blocked the emails: nothing. I sent some people off to contact Janrain while I quickly worked on an alternative solution (basic HTTP Authentication). We tried emailing and calling, but couldn't get a physical person on the phone to explain what was going on. Nobody at Newstex could get any work done, an this was the middle of the work-day, the highest period when most people are working.
I was able to implement and deploy a work-around solution within about 2 hours of being notified that users couldn't log in. I had sent out passwords to everyone, and verified that everything else was functioning properly. I completely gutted the entire system from all Janrain login code quicker then they could get back to us. When they did contact us, it wasn't by phone, it was an email:
Hi Larry,
It's my understanding that you wish to renew your Janrain licences now, correct?
Thanks,Bruce Smith, Business Representative, Janrain, Inc.
Our response was simple:
Nope, not anymore - you turned off our account without notice and left our users unable to login. We implemented another solution. Mark us down as very unhappy customers who would never use your services again.
When you're providing a service that's as critical as login, something that every user has to do before they can access the system, don't you think you'd make absolutely sure before you disable someone's account for not paying? What's even worse, they did it the very day our account was expiring. And they never even sent us a bill to pay.
Outsourcing your authentication to a third-party is scary enough: what happens if they have a breach in security and let other users in; or what happens if they go down. Adding on top of that not being able to trust the provider because they have bad customer relations like this, and you end up with a completely useless company.
Don't trust Janrain, you will regret it.
Comments