Hacker News new | past | comments | ask | show | jobs | submit login
Amazon Cognito (amazon.com)
425 points by moonlighter on July 11, 2014 | hide | past | web | favorite | 157 comments

The interesting thing about all these services is that they're trying to abstract away the same types of problems that all developers come across: Identity, connectivity, sync/backup (and to some extent, deployment).

A different (and more disruptive?) approach to this would be to put more control of these things into the hands of end-users such that they provide the 'backend' into which you (the developer) load your application. i.e something like the app-store model but it connects to the user's 'personal cloud' (or the desktops of old - if you prefer). Such a system needs to be FOSS at its core but with a way for developers to get paid for providing value to end-users (who themselves get control of their data/networks).

Of course, this won't happen overnight, but the alternative is that everyone ends up using proprietary silos, with huge lock-in and innovation suffers as the tech giants get distracted with lawsuits.

I'm working with others on the distributed systems infrastructure we need to make this possible [1], so that we can get to a place where everyone can have their own piece of the cloud. In fact, one of the major components of this is Mirage, which has been discussed quite a bit on HN recently [2].

[1] http://nymote.org/blog/2013/introducing-nymote/

[2] https://news.ycombinator.com/item?id=8020125 and https://news.ycombinator.com/item?id=8005130 and https://news.ycombinator.com/item?id=7726748

Do users really care about this? My guess is that 99% don't and don't want to deal with these details. The project sounds cool and like something the HN crowd might want, but my intuition is that most users won't understand the implications.

It also adds an extra step in the data storage process within the app, which increases friction and seems like it would be hard to get developers to adopt. All that said, I'd love to be proven wrong and see an implementation that is killer enough to solve these problems.

Yes, users care about this but like most things you have to segment the market appropriately. I meet more and more people who are wary of putting all their trust/data/etc into only one provider, be that Google, Apple or anyone else. It's not just a privacy thing but a growing awareness of the sheer dependency on that one company. (Aside: I have to say FB is being pretty clever by buying up apps and letting them stay 'independent' - users don't notice that as much and reminds me of FMCG.).

We don't need most users in the beginning. Just those that are technically savvy enough to understand the landscape and the way the world is headed. From there we can develop more stuff and eventually get it into a state ready for the masses. For example, I can run my personal website as a unikernel [1], which is not suitable for mom-and-pop but great for anyone currently using any static site generators. As more libraries get released I can build on that an eventually run more of my infrastructure this way (my prototypical examples are mail, contacts and calendars).

In terms of the friction for developers, we simply have to make the libraries and tooling fun and easy to use. With well-designed systems it's not necessarily any more friction that what developers have to do now (i.e build their own backend).

> "All that said, I'd love to be proven wrong and see an implementation that is killer enough to solve these problems."

We're working on it.

[1] http://amirchaudhry.com/from-jekyll-to-unikernel-in-fifty-li...

I thought like this once.

Futurists have a tendency to imagine a world of changed human behavior and it's compelling to do so. The reality is that the future rarely arrives as sweeping change, but rather as metaphor and specialization.

Whereas you can imagine others adopting new patterns of behavior because you understand the underlying reasons why such behavior is reasonable, the metaphor through which you explain this change is not readily understood. Why, as a User do I want this? If the answer is control and privacy, you might be barking up the wrong tree (time and again we've shown that those are not things consumers want or are willing to pay for).

If you want to drive dynamic change in the world, you have to change the underlying structure of complicated systems while steadfastly avoiding changes in user behavior. It turns out this is quite hard.

I applaud your efforts but encourage you to avoid the rabbit hole of endless specialization and to improve the marketing metaphor/rhetoric.

Rhetoric from a16z in a thread of 50+ tweets:

"Bitcoin, billions of phones, and NSA eavesdropping are among trends that may eventually result in cloud successor: data-local computing"


> time and again we've shown that those are not things consumers want or are willing to pay for

CITATION please. I think we have never seen such things. We've not had studies that control for all other factors and then conclude that users don't want control and privacy. I think your claim is flat out wrong. You're taking the fact that most users won't sacrifice by using a lower-quality, obscure thing for privacy and control, and leaping to the baseless conclusion that nobody cares about these things. I think you're completely wrong.

There have not been any case studies that have empirically demonstrated this to be true. If that is your basis for evaluating my statements then I cannot support my claim in a manner that you would find satisfactory.

I would however, anecdotally highlight the progression of social services from places of privacy to places of publicity. One could argue that sites like "The Well" were the original social networks but they did not grow (whether by choice is of course a matter for debate). Over time, each successive social startup defaulted to a more open stance and scaled an order of magnitude in users with each step. The trend suggests that all things being equal, users will say they want privacy but want the features publishing and syndication provides (voting purely with their registrations and advertising value).

I agree that privacy has value, but I would argue that the anecdotal evidence suggests that users want less private services (and yes I'm aware that correlation is not causation, but I think this observation is apt). This is not law or dogma but rather a thought and I'm sorry if it was communicated poorly previously.

> the progression of social services from places of privacy to places of publicity

I don't think that's a clear-cut anecdote. Facebook does actually feel very private, because it's isolated from Google and outside users. Look at the number of female profiles where everything but the name is hidden from non-friends. I don't remember MySpace or blog users ever being this paranoid. And then, anecdotally, many people around me have started to live in WhatsApp/LINE gossip groups, which is something that could easily be decentralised.

I would look towards the trajectory of Path, and the fate of app.net for your evidence of the preferences of end users vis-a-vis paying a premium for privacy and security relative to free alternatives that make no such claims (Facebook and Twitter, respectively).

Please don't assume that a lock-in based on network effects must mean users are happy with (or even aware of) that trade. I don't like FB's practices, or the way LinkedIn deals with me, yet I maintain profiles on both sites.

Twitter was unambiguously non-private from the start so there were no broken expectations.

I spent the last 3 years under this hypothesis [1][2][3]. In those 3 years I've come to realize that users don't actually care that much. Sure a subset of users care but the majority don't.

I think the "personal cloud" that makes sense both architecturally and in the minds of consumers looks very different from what we as developers understand it to be. When we took our software and began prototyping it on hardware devices (like NASes) and showed it to people their eyes lit up. They understood it. Finally.

[1] https://www.kickstarter.com/projects/jmathai/openphoto-a-pho...

[2] http://blog.trovebox.com/post/36911180540/all-cloud-storage-...

[3] https://github.com/photo

Can you put it on the Seagate Wireless Drive?

This has a simple value proposition: Apple charges $100 for incremental 16/32/64 GB mobile storage. Users can buy 2TB worth of wifi storage for $200 and replacement firmware+source (http://www.hackseagatesatellite.com/) for $35.

Haven't tried on a Seagate device. We've put it on WD MyCloud and NetGear ReadyNAS devices. I know others have got it installed on Drobos as well.

Most of these NAS devices run some version of Linux which makes it trivial to set up our software on them. Some are easier than others though.

Beyond that I can't say much regarding what we've been tinkering with internally but it's pretty damn cool :).

I perfer Synology's DiskStation over that. At least with that it'll give me a RAID array to back up my files.

I know Synology runs Linux so it should be straightforward to set up but we haven't done it yet.

This is the first time I've heard of this particular Seagate drive but the notion of having a drive you can connect to over wifi and which also fits in your pocket or bag is really interesting.

> I meet more and more people who are wary of putting all their trust/data/etc into only one provider, be that Google, Apple or anyone else.

I'd be wary of assuming from this data point that people are willing to be even slightly inconvenienced for it. Just take a look at Facebook: the entire history of the company has been one of disrespecting and subsequently pissing off users, and yet out of the huge amount of people I know who have repeatedly expressed anger at how Facebook treats their users, I know exactly one person who stopped using it or even reduced their usage.

I'm not sure whether your assumption that people's concern will translate into even the slightest bit of action is sound.

This is what I meant further up thread when I mentioned segmenting the market. I don't believe everyone will move to a new solution but I do believe that some will. I also believe that the first users will be the technical ones who already understand the trade-offs and that there's a continuum of inconvenience that they'd be willing to endure (I'm lazy, so I won't tolerate much).

For example, think of the number of people who maintain their own static websites, either on GitHub or EC2 or elsewhere. All those people could just use Tumblr or Wordpress.com, yet they chose not to.

I do, but, granted, I am a typical HN reader, not a typical user. I want my data either to be encrypted by the key that only I have, before being sent to the online storage service, and/or being sent to the computer that I physically control (NAS at my home).

The reasoning that users do not want to maintain that infrastructure is a very valid one. However, it is like having a car vs. using public transportation. Most car owners do not maintain their car themselves, but at least you can remove your personal items from the trunk before you drive it to the mechanic.

Now the question is does this analogy extends to the advantages of using your own car vs public transportation. My guess is that need for privacy could be one big driver, but the company that can make home computing infrastructure an item of conspicuous consumption will be a big winner. Think Apple or Sonos, but in terms of what comes next (Augmented Reality, Voice HCI etc).

Users won't care, until someone else builds on the liberated data of your app.

The problem isn't that users don't care, but that there's no revenue model. As a result none of these decentralized networking or platform companies can get funding.

Without funding, they don't have the resources to build truly compelling products. You can prototype something in your spare time, but to polish something to be truly competitive outside enthusiast circles you need to dedicate serious time to it.

Even if users did care there is no mechanism for them to pay for it, so it doesn't happen.

There was an MIT startup, Permabit, that tried to make a cloud based storage system which backed your own local disk. One idea was that your local storage is faster so you should use it for local things, and offline computation, but that if a shadow copy was being backed to the cloud in encrypted fashion. If your local storage fails, you just replace it, and the data dribbles back in from the cloud to your new local device.

They also had some hack whereby large common files (like app executables) where compressed using their hash code or something, but that is not the important idea in my opinion.

I think having that transparent local/cloud duality is one piece of the puzzle for a service which is both fast and local and also cloud based. You shouldn't have to care where your data lives. The other pieces of the puzzle are how to grant fine grained shared access without confusing users and introducing security holes.

I'm really intrigued by this model of internet infrastructure. Would you mind helping me understand the relevant difference between what you, Sandstorm[1], and OpenPDS[2] are doing?

[1] https://sandstorm.io/ [2] http://openpds.media.mit.edu/

OpenPDS = US gov-defined policy (NSTIC) for access to personal data

Sandstorm = packaging & separation of web apps from policy-managed data

Nymote & Mirage = UK systems research (OS, storage) on strong enforcement of claims similar but not limited to those being made in the above two projects

(Sandstorm author here.)

Based on a brief skim of the Mirage docs, it looks like a really big difference between Mirage and Sandstorm is that Mirage wants apps to be written in OCaml based on a custom API whereas Sandstorm builds of Linux. Any server app that runs on Linux should be easy to port into Sandstorm, but it seems like a lot of things will need to be written from scratch on Mirage.

In fact it appears Mirage intends to replace the kernel entirely. I can certainly see the appeal of dumping legacy baggage, but it's going to take quite a bit of work to reach the point of practicality.

You can look through the ACM article to get a good overview [1]. Yes, it's taken a lot of work to get to this point and there's more to go. In order to enable a fully decentralised system, we need to understand and tackle the basic problems that all developers face, which is more involved than just Mirage (as described in my comment above).

All the code is also fully open source under a permissive license [2].

[1] http://queue.acm.org/detail.cfm?id=2566628

[2] https://github.com/mirage/

Isn't that what App.net was supposed to be? By most standards that project was a huge failure. It's hard to proposition a user to start managing their own silo.

App.net was centrally hosted and centrally controlled, so it wasn't really all that different from its competitors. It also had execution issues.

> A different approach to this would be to put more control of these things into the hands of end-users such that they provide the 'backend' into which you (the developer) load your application.

User Dependency Injection!

The big thing is each individual user would then be responsible for maintaining their own individual cloud. Otherwise, they'll just outsource that out and we're no better than before.

How do you get grandma on her own personal cloud?

You probably don't. You also don't get grandma to run her own power plant, telephone switching network, etc. As long as her "stuff" is portable, it really doesn't matter who provides the service

If her "stuff" is that portable and the service provider has at least some kind of read access, how would one prevent the service provider from simply keeping a mirror of Grandma's data on their own servers?

This sounds quite similar to what the (now more-or-less defunct) Singly was trying to accomplish. Having talked to a former employee about it at some length, the TL;DR is that 1) the technology and ideas are cool and 2) uptake was disappointing. That said, execution matters more than ideas when it comes to success.

I was actually thinking something like this for dropbox would be a no brainer.. like a cloudmail client for all your accounts, or an igoogle/ireader service that's hosted and uses your dropbox for its' data.

Users don't care about. Not worth doing.

Your comment wasn't worth doing. Neither was mine.

Interesting. How does this overlap/conflict with efforts like Diaspora or OwnCloud?

Wouldn't Dropbox Apps, even though it isn't open source, be a good start for your requirements ?

What a great idea. Good luck with this sir! Please keep us all updated on your progress.

Why do so many people (and companies) pretend that app backends are just (logic-less) data stores?

I can definitely see the argument that some mobile games only need to store/sync some basic state information on behalf of the user, but I just don't see it as being that simple for most other apps.

I suppose this datastore-only backend model works for apps with users who are completely isolated from each other, but any time you want to allow users to interact with each other (or provide rules for how their resources interact with the world outside their little "user bubble"), you need business logic that resides somewhere other than the app; otherwise, your business logic (which may affect more than just the authenticated user) is in an untrusted environment. Not only that, but there are huge scalability problems associated with using a logic-less backend storage model if you want to do anything that involves more than just a single user's data.

Even for games, something as simple as providing a leaderboard is impossible (or extremely impractical) with this model. If you have no server-side logic to perform aggregate operations over multiple users, the only other option you'd have is to basically grab all the data and perform those operation in your app, which is absurd.

Backend development, server management, and deployment can be hard (though many PaaS solutions are making it easier than ever), but personally I'd never recommend building an app with a logic-less backend data store like this. Even if you don't think you'll need it today, in most cases you're going to need logic on the backend eventually. If you've started with this, you're just creating a lot more work for yourself when you finally do need to implement a feature that crosses the line from isolated-users-only to users-that-can-interact (or even just obtaining aggregate user data for business intelligence purposes).

Completely agree! At post.fm we're trying to design an email client which will work offline, and synchronize data when online (IMAP isn't sufficient for our needs) - Exchange style. We've thought long and hard about various solutions, and have tried syncing logic-less document-stores such as this. As you say - this doesn't really work, and there's definitely no way to handle anything remotely complex like transactions. In our case "app data" is effectively all your mail and more, and we can't expect each client to have a local copy of everything, meaning partial syncing of a collection is important for us (not something any solution out here seems to handle).

The solution we've come up with, which we'll hopefully get to open-source one day, is to model state over time as a persistent "event log", which means instead of syncing documents we sync events that clients perform, replaying events instead of document-update statements. This approach is infinitely flexible I believe, but requires more work if your clients are written in different languages (we use JS throughout so that isn't an issue).

There was no need for you to mention your company's name.

I don't think anyone suggests that it's that simple. This entire space is young and evolving quickly. Identity and data sync is a good place to start, though.

For your example of a leaderboard, Parse has Cloud Code. It's designed to do exactly what you describe -- define a function that sits on Parse's server, handles client queries against your data, and returns the relevant data. Their example is for computing the average rating for a movie from your users' reviews: https://parse.com/docs/cloud_code_guide#functions

Amazon, Google, and Microsoft aren't there yet, but I can only imagine it's on their roadmap. And Parse's implementation only works for fairly easy stuff. But I think things will look very different in 5 years.

Parse's solution is a great start as you say, but I can see myself running into the limits of that approach fairly quickly.

And, as you say, if these solutions mature, we might have some very powerful stuff in this space in a few years... maybe almost as powerful as just having your own server-side code running on some backend servers ;) But at that point, we're right back to where we are with traditional/custom backend systems being run on cloud server providers (which is not a bad thing!).

It just kind of feels like we're trying to re:Invent the wheel. You can offer these kinds of "a la carte" services all day long, and they're nice (on the surface) as long as they play nicely with each other in an open ecosystem - e.g., "let's grab this identity provider, that storage solution, this analytics engine, etc." It might look similar to Heroku's "add-ons", but with components that perform more specific functions. I just don't see that openness coming from Amazon, Google, etc. as they will all want to lock people into their services (which is understandable from a business standpoint). And unfortunately, anyone who buys into partial (and proprietary) solutions in the meantime are - in my opinion - just shooting themselves in the foot by limiting the use of their data.

Even in a perfect world with a vast marketplace of plug-and-play, interoperable cloud components, I would ask: is the "soul" of your app's code really captured in a conglomeration of components like this? If you have a need for a backend with custom logic of any kind, I think you're probably doing something unique (hopefully anyway). If you're going to need some real, unique business logic that can't be offered as an abstract cloud component, then I strongly suspect you're going to want more control over all of the backend. Even Parse's approach ends up looking more and more like a traditional custom backend system as you add more power to the "Cloud Code" approach.

As a programmer, you can often find libraries and drop-in components that accomplish 80% of what you need, so you write some custom code to "glue" those components together. That custom code usually contains business logic that really couldn't be abstracted or offered as a drop-in component. Where does that custom code live in the "perfect" ecosystem of plug-and-play cloud server components? How do you control the thing which makes your app/backend business logic unique? I don't think it's going to be in the client/mobile app as some people tend to think.

Maybe there's a good solution that combines these kinds of components with custom (and flexible) server-side code - I just haven't seen what it looks like yet. If I tried to use this stuff today, I'd be kicking myself tomorrow as I figure out that it's a pain to juggle data between components that I don't control and components that I do control.

I was commenting to a friend that the limited functionality in these types of services have very steep edges. It's great when you're in the middle, but trying to do something a little bit different can lead to long, poor, difficult code as you try to work around the constraint.

I think we'll start seeing more "opinionated" platforms, similar to what Rails and others have done for web development. Parsing query strings, managing database connections, and wiring your own user reg code are all distant memories for most web developers most of the time today.

We might see something similar here, where groups of common functions or services are stacked together to form a unit that works well together and covers some set of use cases very well. LAMP comes to mind as a comparison, and you can definitely use SQL Server instead of MySQL, but it probably won't work as well when it comes down to drivers, libraries, recruiting, etc.

These stacks will differ as well to serve a broad range of customers. I cringe a bit when I see Amazon EC2 comparisons to Hetzner or Digital Ocean because they are serving quite a different set of customers with different needs. To think that all hosts should end up standardizing on the same units would leave many customers unserved. It's easy for innovation to be called vendor lock-in, but it's hard to compete or innovate on heavily commoditized products/services.

It's [still] an exciting time to be in tech.

Parse/Cognito/etc allow you to quickly validate an idea that may or may not work out without having to invest in a backend engineer and a bunch of backend infrastructure. If it doesn't work, you've saved a bunch of time and money. If it does work, then you can start worrying about how to scale it and add more features. No piece of software has ever launched without technical debt, and there's much worse technical debt to take on than an outsourced backend.

As the description says:

instead of having to worry about building and managing a backend solution to handle identity management, network state, storage, and sync.

From my reading of this, this wouldn't in any way obviate the need for a backend system of your own. It just does the identity management, network state, storage and sync parts for you. Your own business logic on your own backend can use this to jump start you.

From the video:

> Building the backend... is a lot of work. You have to build it, deploy it, and manage the infrastructure that it runs on."

To me, it certainly sounds like they're trying to market this as an alternative to having your own backend system.

And to be perfectly honest, if you do use your own backend system for anything, authentication and simple data storage are not hard to add - especially if you're going to use a SSO service like Amazon, Facebook, or Google (which Cognito uses). There are drop-in solutions for most of those things that require little more than a couple lines of app code to authenticate users. I really just have a hard time seeing the value in what Cognito offers.

Also, assuming you do just use Cognito for the auth and storage/sync parts, how do you plan to use that data in the rest of your backend system? Are you going to pull down all that data from Amazon's servers just to do what you need with it (will they even offer that ability)? If so, how do you make sure the rest of your backend infrastructure stays in sync with Amazon's user data? It just sounds like it creates a lot more complexity than actually solving anything (except in the most basic scenarios without a need for a separate backend system).

With so many new AWS features rolling out, I am worried that Amazon is spreading themselves too thin and will soon decide to stop supporting some of their less-popular services that I happen to be using.

As far as I can tell, there is no guarantee anywhere that they'll maintain any service for any length of time.

If that happens, it could waste weeks or months of engineering time trying to migrate to something else, or I'll just have to shut down my own services if I decide it's not worth migrating.

I am not too concerned about this – though I do think it's a valid concern considering the actions of other players in the space.

Sitting here in Seattle I see Amazon hoovering up all the local talent they can hire. And I see them putting up new tower after new tower to house them. I don't worry about them stretching themselves too thin as far as manpower goes.

And they don't have a history of closing down AWS products – for instance the first, (and not a runaway hit) Mechanical Turk is still with us.

Mturk is heavily used internally and in academia for a crazy variety of stuff. It's not S3, but it's hugely important for the people it serves; it would be incredibly foolish to shut it down.

It's a valid concern. AWS has been around for many years now with numerous services. Has there been a single offering which they retired or stopped supporting? I'm not aware of one.

Amazon doesn't just create services, throws them over the wall and see if they stick. Rather, they almost always RESPOND to customer requests. Dr. Werner Vogels, AWS's CTO makes a point about that approach at about any keynote he gives. Similarly, they try to also avoid feature creep by only providing features which customers really ask for.

I am unaware of AWS modules discontinued by amazon, but it is also true that the oldest services are the most popular (S3, EC2) while some of the most recent ones have a (apparently?) smaller user base (SWF, Kinesis, AppStream).

I think I remember amazon people saying they are actually dogfooding this stuff so it should stay available for a long time anyway, rather than being a random Google Reader.

There is a strong culture of dog-fooding in Amazon. The advantages to it are quite straight forward :) If you've got a whole bunch of DBA experts already hired, why would you hire additional people to do DBA work for every team, when they could just use RDS? Along with that is the huge added benefit of a direct feedback loop, with consumers and producers able to directly meet and deal with feature requests, problems etc. etc.

Retiring any of the services that have been launched would cause not inconsiderable pain to other teams :)

AWS's practice of charging people seems to make it pretty easy to justify not pulling a Google on users.

AWS definitely dogfoods, to the point where people have to be careful internally to not create circular dependencies (this nearly happened to me once).

I think there's a notion of persistence in AWS' leadership that propagates through the teams. AWS is willing to fight through the early painful years for products to see them arrive at the stage that EC2/S3 have attained.

SimpleDB is the closest I believe. It's still around if you are using it, but it isn't in the web console anymore.

Sounds like it saved you a lot of time getting your app up and running and I'm assuming they would give you a lot of time to migrate before just shutting it down. I wouldn't worry about this, however, this is something to consider any time you use a 3rd party to manage a service for you. I've had issues with fully managed RackSpace servers where the OS hit its EOL and it was on me to migrate everything to a new server. I've had this issue with fully managed database providers when they migrated to a new infrastructure and I had to move my data into a new database. There are other examples but most of them are pretty minor and none of them were too big of a deal.

While this (and other similar) Backend-aaS look very appealing at first glance, it seems to suffer from the same problem as most AWS offerings - terrible platform lock-in. Show me that I could move all of this to another provider if I need to, and then we can talk seriously.

I also wonder how they "manage[s] the complexity of conflict resolution" without manual intervention.

I'm a bit confused by your objection to "platform lock-in." Presumably a person or company who has chosen to use this service understands the technical limitations and features it entails. That includes understanding that AWS may in fact implement this service differently than other providers do and that a future move might entail some non-trivial effort. That isn't platform lock-in in any meaningful sense.

Besides, what makes you think you would be prevented from moving all this to another provider? From the FAQ (https://aws.amazon.com/cognito/faqs/), it seems that Cognito data is stored in a straight-forward Key-Value scheme. That's about as easy as it gets when it comes to data structure.

Moreover, the actual service itself would almost certainly be implemented differently with another provider. Why should Amazon, or anybody else who offers similar "menu of services" cloud computing, make it easy for you to do so (they make money off of you not moving)?

> Presumably a person or company who has chosen to use this service understands the technical limitations and features it entails.

That's a pretty big assumption to make. People, even technical people, make assumptions all the time that they'll be able to get their data out of a system and then aren't able to at a future date.

Because the best way to get a user to "move in" is to make it easy for them to "move out". It's actually in Amazon's financial interest to make it easy for people to move off of their offerings.


This is one of our core values and while we get odd looks from investors or MBA-types we know that it's the right move to make in the long run. This is the way things are moving and I hope that more companies will go this route.

Joel wrote about this back in 2000. Barriers to exits become their own barriers to entry. http://www.joelonsoftware.com/articles/fog0000000052.html

The thing about casual discussions like that is it's easy to build a narrative without actually providing much substance. Joel's essay doesn't discuss Microsoft's "barrier(s) to exit" that Office itself didn't give up completely until last year (cf: Open Document), and Windows itself has yet to yield (it is still the dominant OS, by far, in the desktop and laptop markets).

Sure, "barriers to exit become barriers to entry" is applicable in some contexts, and for some part of a potential market it will be the barrier that keeps those customers away. I wouldn't dispute that. I would dispute that "barriers to exit become barriers to entry" be treated as a universal maxim applicable along all businesses and products. It's just as much of a strategy mistake to make as assuming the barrier can't exist in the first place. It ought to be considered; not treated as a key issue until or unless the data suggest it should be.

Is anyone delivering the equivalent with less lock-in? I can understand both sides of the argument but it seems that over time stuff always migrates towards more control (ie, people migrate OFF of Parse, Heroku, AWS, etc). I'd envision a much better set of images, Fabric/Chef recipes, to the point where you get your AWS but with vanilla OSS on generic hosting providers.

I'm trying out DreamFactory (dreamfactory.com) to see if I can accomplish the same goals but using something that's open source (Apache License). Sure I'll have to maintain my own VPS boxes but that's something I do anyway.

A couple of open source options that you can deploy to your own servers (or your cloud provider): - Apache UserGrid (incubator project) - DreamFactory - BaaSBox - LoopBack - Helios - Deployd

Any other OSS out there for this?

I'm not sure it could be considered the same thing, but by visiting the DreamFactory's site I found this in the comments http://www.wakanda.org/

Any feedback on it?

Doesn't CouchBase Mobile Sync Gateway do something similar?

Couchbase Mobile using Sync Gateway is incredibly similar to Amazon Cognito. Even the native iOS and Android libraries have a similar feel to them (object-mapping with native objective-c objects, single call sync/replication function). Sync gateway has built in support for identity providers such as Facebook, but doesn't provide Google or Amazon identity support (this could easily be added with custom server code).

The big difference I am seeing here is Amazon Cognito doesn't yet have a story around syncing documents between multiple users/roles. Sync gateway has the notion of a sync function that providers developers with a hook to customize server-side syncing in a deeper way.

I'll be interested to see how Amazon developers the multi-user/role sync capabilities and integrates it with their native identity management solution. Could be very compelling down the road..

I'm working on this. Email in profile.

It's the same with almost every BaaS. Do you want your data? Pay for it.

That's why I always advocate for building your own backend, if you have a long-run plan and/or expect to generate a lot of data for the app.

The trick with your suggestion of making data more portable is that if Amazon or any other platform provider would do so, then it would create a race to the bottom in terms of price. This would make the business quickly unappealing for the likes of Amazon. This is why no one will make their platform formats portable. At least not while things are in flux and the battle field is still disputed. Once the market matures (see the mobile telephony of 2000s) then you'll be able to port your phone number.

At Fanout.io (not BaaS like Cognito, but another kind of microservice) we opened everything up to make us easy to migrate off of. Why wait for the market to mature when we can do things the way customers want from the start?

See you at the race to the bottom!

The similarities between Cognito and EnduroSync (Orando Labs, https://orandolabs.com - announced in May) are striking. Including the latin sounding names. Except that EnduroSync is an object store and has no data size limitations. Even the pricing is similar.

As far as Hacker New goes, we announced EnduroSync back in May, and got no promotion. Not one up vote?

My impression is that the interest here is not in the product itself, but in the insight that it lends about a known player.

I don't know how Amazon comes up with names for its products, but recently they all strike me as weird and stupid names. Do they confer with marketing first? Zocalo, Cognito? Really? These are the kinds of names you invent when you're looking for a cheap domain name for your startup. For Amazon, they don't make a lot of sense. They just seem like some executive out of their marketing depth and out of touch trying to be clever and anyone with sense afraid to speak up during the meeting when they come up with these names.

What cloud service names, off the top of your head, do you consider to be exemplary?

"Parse"? OK, sure...but that's not any more functionally descriptive than "Cognito"...and Parse is a more narrowly focused company with a primary service...In the case of "Cognito" and "Zocalo"..., Amazon has to come up with names that are distinctive because they provide so many core services...so many that even me, an engineer, get them confused. Imagine the difficulty of a fly-by marketing person trying to differentiate between similar sounding names.

Furthermore, these names are distinctive industry wide...presumably, if Zocalo becomes big, you will no longer have to say "AWS Zocalo", but just, "Zocalo"...just like you do with "S3" and "EC2".

To drive home the situation that Amazon is in, let's consider another great product name: Dropbox. Unlike Parse, it is very easy to relate to the core service. But consider the phrase, "Amazon Dropbox"..."Dropbox" is unique compared to the currently named AWS services...but it has a huge collision with Amazon's core service, which is, stocking and shipping products. If Dropbox.com didn't exist, and Amazon used it instead of "Zocalo"...there is a considerable risk that people associate "dropbox" with some kind of packaging thing.

They're unique while remaining loosely related to the products they describe.

The http://en.wikipedia.org/wiki/Z%C3%B3calo is the city center (of Mexico City's historical district), a simple and untaken metaphor for a service that "...provides users with a central location for both the documents and files they are...".

Great. You are 1 out of 100,000 people that understand the metaphor.

Out of their recently-launched services, I liked the name "MatchBook" the most. It was intended to provide cheap or free Kindle versions of books which you'd previously purchased physical versions of. Unfortunately, it's a product that virtually no publishers have adopted.

Amazon is a weird name too.

As were the originally proposed names "Cadabra" and "Relentless" (http://www.relentless.com still redirects to Amazon).

Cognito means known, recognized, identified; contrast with incognito. Is that really such a terrible, horrible, no good name for a service that verifies user identities and manages user profile data?

It's a shame Amazon can't afford to hire a marketing genius like you, but I think they're doing the best they can with the idiots they have to work with.

But as a user enters cognito, they then become incognito. That does not make sense.

This. Maybe Amazon should have hired the marketing geniuses here on HN.

Zocalo, sure...but Cognito makes complete sense. The word incognito basically means anonymous. The prefix 'in-' frequently negates the meaning of the word it's attached to. So when you remove the negation from anonymous, you get a known identity, which seems very apropos to an identity service.

Is there anything like this in the enterprise space? Many of our customers want authentication against their internal Active Directory or other single sign-on solution. It would be nice if there was a company that exported an api, and did all the work of connecting up the various types of auth, so that we can focus on our own product rather than redo integration work that has probably been done by many other companies already, probably even for the customer's other services.

There's a pretty big market for this/enterprise level identity management in general. At least in Germany, companies usually prefer inhous/more control over hosted solutions though (especially in the light of the last 1+ year). SAP IdM is the big dog here (it's somewhat messy though since SAP bought the technology and it shows that it's somewhat of a hodgepodge imo) and the only one I've worked with. I'm sure all the big ERP companies provide this in some way.

Not really the API you're looking for but I thought it was worth mentioning.

Thanks for the pointer. This particular service is useful to know about, but a bit more mobile focused than is appropriate for our current product. Noted for future reference tho!

For various meanings of "like this", there's also Okta, Ping Identity, UnboundID, Forgerock...

Have you seen Stormpath?

I have now. Thanks for the pointer!

Isn't there a startup that does this already? Seems way too intuitive and natural to not have happen already.

There are many startups which do this (or at least similar) already. It's often referred to as "backend as a service" (BaaS). Some links below, but you'll find many more via Google.

http://www.kinvey.com/ https://backendless.com/ https://www.parse.com/ http://www.baasbox.com/

Yes. Firebase. I think Firebase is interesting because they focus on realtime data which is crucial for a lot of apps these days.

Strongloop has http://loopback.io which has been interesting to work with. Looking to free up some time to investigate a little further!

there's a lot of energy/activity with the strongloop project - I am looking at that as well... and now Cognito will demand my attention, too :)

Orando Labs (https://orandolabs.com) has EnduroSync and Identio. Striking similarities between the products. EnduroSync is a full object store and does not have the data size limitations.

seems kind of expensive for what it does.

imagine a game with 100k DAU (big, but not huge)

2 sessions per user per day

say 10 "saves" per session

100,000 * 2 * 10 = 2 million synchs / 10k * $0.15 = $30/day

for $900/month you could do FAR better just rolling your own

these numbers are all reasonable for a mobile game... so it seems to me that the main use pattern would be for apps that don't need to synch very often. and if an app doesn't synch very often, why even bother throwing an auth wall at your users?

Or lets say thats about $12,000 a year. Very conservatively thats 1/10th of a developers cost. Could you really build, and operate, a truly equivalent service with 1/10th of a developer? Im dubious.

There are many cost/efficiency arguments against outsourcing infrastructure. I dont think this is one of them.

interesting. Higher than their example pricing which was based on 500k sessions/month with a sync at begin and end (https://aws.amazon.com/cognito/pricing/).

I find the aws pricing (and "cloud pricing" in general) fairly confusing, and the things is that you have to be so careful that the wrong checkbox isn't checked or something that opens the spigot to the credit card# you had to enter to try out the service on the free tier in the first place. Note that I saw that you can get an alert when it first charges anything via billing alerts (http://docs.aws.amazon.com/gettingstarted/latest/awsgsg-intr...), but still...

I think Amazon's pricing example is based on a fairly unrealistic use case where you only sync at the end of a session. With real world applications, most of them sync multiple times during a session, e.g., every 5 minutes, every 30 minutes, every time a significant atom of work is done (e.g., Gmail saving drafts). With mobile devices it's common to turn them off abruptly, or lose connectivity abruptly. A user's not going to enjoy the experience if nothing they did in their session on their phone is available when they fire up their laptop because the phone app only syncs at the end of a session.

Yeah - I think Parse is much cheaper

For those wary of vendor lock-in, or for those wanting a self-hosted similar service: Just yesterday I spun up my own oauth.io oauthd server. It's working out fairly well. It's only third-party authentication, it doesn't handle guest users or local authentication.

Am I missing something or could this be useful for non-mobile applications as well like HTML/JS apps if they provided an API outside of the iOS/Android SDKs?

You're right. And considering they have just added Cognito support to their Node.js SDK, we can suppose this is the master plan. http://aws.amazon.com/releasenotes/JavaScript/99205414836272...

Thanks for the link!

It says on the page they provide a web service API accessible to any application.

A buzzword used in Cognito and Zocalo is "secure". I'm assuming that means that it's server-side encrypted at rest.

What would be really impressive is if there was an option to client-side encrypt the data before sending it to AWS. Of course, that would mean you'd have to move your syncing logic to the client-side, too, but having a good client-side encryption option would be a real differentiator.

Wild guess: Amazon does nothing to solve sync conflicts, because it's highly correlated with your app business. Amazon gives you all conflicting versions and some flags telling your app "there's a conflict, you should fix it". Much like CouchDB.

So if it works like that, you absolutely can encrypt your payload client-side, and use Cognito as a mere transport.

Much like CouchDB.

Exactly. I don't know why people are so attracted to locked in solutions like Parse or now this when Couch has already been doing it for a long time, and there are mature third-party providers (Cloudant, Iriscouch, etc) that can help you get off the ground just as easily without ever being locked in with them.

The Cognito marketing materials claim that it supports "intelligent conflict resolution".

Yeah, I knew there was something else too. All are little code or code-free backend services.

So Amazon is now competing with Facebook / Parse?

And new iCloud. And new Dropbox API. And Helios.

Does Apple consider iCloud a competitor to other cloud services? You need an Apple device to sign up for it, so you can't move to it if you only have access to Android or Windows devices.

I'm definitely finding it interesting to see Amazon releasing more and more offerings to make life as a developer easier. Will be interesting to see whether they can leverage some of these services to make developing for the Fire phone extra appealing.

This may sound stupid, so I apologise in advance for my ignorance....

I watched the video and the focus of this service seems to be on storing user data in a way that can be accessed by any device. I'm an API developer, isn't this just what every mobile app that uses an API to store data does, right? I personally don't write a different backend datastore for every device type that could connect to it, nor do I 'permanently' store data on the device! user data is always synced 'for me' over an API. I don't get this, can someone explain why we need this service? Do people develop apps different from me? I'm not being sarcastic, I'm genuinely interested.

Agreed. I'm confused. I don't understand how this helps users access data on "any" device.

The data pulled from the backed is handed off to the front end. The front end determines what's displayed and how it's displayed based off of the device. What does data storage have to do anything.

This service is for app devs who dont want/know how to to run their own servers. They are given a simple api to login/store info about a user in a user and it syncs automagically.

Amazon seems to be in "me too" mode lately. They released an Android phone, a Dropbox clone, and now a Parse clone.

Instead being the vanguard of innovation, they're letting other companies validate the need for a service before swooping in.

Who's next? Probably Stripe.

Amazon Payments launched in 2007, and Stripe lunched publicly in 20011.

When I see products like this, my first question is: could you write an free, open-source app with this without having to shell out your personal money to make it happen?

For Amazon Cognito, the answer appears to be "yes, until all of your users together store more than 10GB". ie. until your app gets popular.

So for free open-source apps, I think I'd prefer to stick with Dropbox or Google Drive, where the billing is associated with an account the user already has (which most users can operate entirely within the free tier). That way you don't run into a situation where you are a victim of your own success, by exceeding a free tier that applies to the sum of all user data in your app.

There's more information about AWS Cognito beginning at the 1:03:00 mark: https://www.youtube.com/watch?v=Wr6WirGn-6k

In response to this announcement, Orando Labs (https://orandolabs.com) has decided to offer EnduroSync and Identio with open source licenses and as paid AMI instances. We believe we have a unique solution to some difficult problems (identity and syncing), and want to see our solutions widely adopted. Read more at http://orandolabs.wordpress.com/2014/07/12/amazon-cognito

So, can someone correct me if I'm wrong? It appears that Amazon Cognito handles sync for local device data, but the developer doesn't have access to any of that data. Correct?

So this service seems to be geared toward developers who don't want to store or see user data at all. But for a developer that wants to gather user data (for crowdsourced insights) or for a developer that wants to offer a web app connected to their own DB, then this isn't going to work.

So, Amazon Parse? Looks like the big four (Apple, Google, Amazon, FB) all have to ahem...back(end) it up now.

Big five (Amazon, Apple, Facebook, Google, Microsoft)

Would you guys trust Amazon data services like EC2/S3 for backing up your system which includes all your GPG/SSH keys, photos, important documents like tax returns, etc.?

Anything like this but for relational data? I need to sync a sqlite database and my attemps of using this kind of service show me are not really a good fit.

EnduroSync (https://orandolabs.com) will get you close. It's a light weight object store that sits on top of sqlite.

Damn, these guys are on a streak! 2 great products released in 2 days. This one seems a little more innovative than Zocalo though.

Looking into the service, the identify providers they support are Amazon (naturally), Google and Facebook.

Amazon and their ambition has no bounds. They really are the grizzly bear in the room of online services.

I would love to know if there are any open source alternatives to such solution.

Closet alternative, I have seen till now, is Pouchdb https://github.com/pouchdb/pouchdb

Why would anyone outsource such a thing to another company/service?

Amazon: "It is so difficult to merge user behavior data across different devices they use... I have an idea! Let's create a service which will do it for "them"!

Much better name than "Zocalo", if nothing else.

Does anyone know who made this video?

Did Amazon just change the name of the product that was topping HN yesterday?

Did you even try reading the link?

How did this float to the top of my front page so quickly. Are we all genuinely _that_ interested in new AWS products? or did this post receive some "extra" help

To answer your first question: Yes. Many of those who work on services are very interested in cloud-based systems, and Amazon happens to be a major leader in this.

Ancillary factors:

1. The title is clickworthy. While link-baity titles do work well on HN (compared to very vague titles)...this title sticks out because it is two words: One of them is "Amazon", which has very immediate connotations and brand recognition. The second is a proper noun. Those of us who haven't heard of "Cognito" are likely to think, immediately, "Whoa, new Amazon product, must click-through to see how it will impact my work". That it is two words also makes it visually distinctive regardless of what those words even are.

2. It's 11AM, which means almost every developer on the East Coast is awake, and West Coast developers, particularly the ones responsible enough to reserve HN viewing for before-work hours, are getting their coffee and checking HN. So, lots of potential upvoters.

This makes Amazon competitors to various backend-as-a-service startups (like Parse), so yes, it's interesting.

Yeah, it does appear to a hot topic. Still, the post was <10m old and #1 with 0 comments. Seems either extremely overhyped or artificial to me.

New product announcements from large tech companies make it to #1 before getting any comments on a regular basis. Submitting a duplicate URL counts as an upvote for the original submission, so it's pretty easy for something like this to make it to #1 just from people racing to be the first one to submit it.

Ah, I didn't know about the duplicate URL rule. That makes more sense. I've been here for quite a while and I haven't noticed such an aggressive advance before. So it triggered an alarm. Maybe I'll start seeing it more often

Every time someone submits a link, the first posting gets a point. So if 20 people independently posted it to HN before it got to the front page, it would accumulate points pretty quickly without comments.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact