Journal

Flight log

Notes on building Auth Fly: protocol design, UI migration from Hanko Elements to UI8Kit, adaptive SDKs, the SSO SPI, and the pre-flight security checklist.

Roadmap 2025-08-01 8 min

Why Auth Fly: own your IdP, skip the telemetry

A self-hosted SSO construction kit, built around one principle: identity belongs on your own origin, with no third-party update channels in the critical path.

IdP core 2025-09-05 10 min

One IdP session for SAML and OIDC

How a single signed idp_session cookie bridges SAML Service Providers and OIDC Relying Parties on the same Identity Provider — and why it stays simple.

SAML 2025-10-02 12 min

SAML 2.0 in ~600 lines of Go: what we kept, what we cut

A walk through the Auth Fly SAML implementation: AuthnRequest parsing, ACS pinned to SP config, XMLDSig with SHA-256 and RS256 — and the hardening still on the runway.

OIDC 2025-10-20 11 min

OIDC done minimal: code flow, JWKS, and the road to PKCE

What a small OIDC provider looks like: Discovery, /authorize, one-shot codes, /token with no-store, /userinfo, /jwks — and the hardening list before public clients.

UI migration 2025-11-10 12 min

From Hanko Elements to UI8Kit: a one-to-one migration

Replacing the third-party login web component with our own bundle — same UX, same i18n, same dark theme, served from the IdP origin with no CDN dependency.

UI migration 2025-11-25 10 min

Hosted UI on Go + templ: i18n, dark mode, embedded assets

Inside AuthKit: how Renderer, ViewConfig and StaticFS keep the hosted login UI provider-agnostic — and why the page itself never imports a credential backend.

Architecture 2025-12-15 11 min

Provider-agnostic core: contracts before code

Why the Auth Fly stack splits into core, authkit and authkit-hanko — and how that split lets us swap Hanko for Supabase or a custom Postgres backend without touching the UI or the IdP.

SDKs 2026-01-15 11 min

Adaptive SDKs: one TypeScript core, thin adapters for any stack

How AuthKit TS becomes a portable core for browser auth flows — and how per-provider, per-language adapters keep that core useful from React to Go to PHP.

SPI 2026-02-10 12 min

SSO SPI: from Hanko PoC to Supabase or custom Postgres

How the CredentialVerifier contract becomes a Service Provider Interface — letting you swap the credential backend without rewriting the IdP, the UI, or the security invariants.

Security 2026-03-05 16 min

Pre-flight checklist: from PoC to MVP hardening

The full Auth Fly hardening list, in the open — what is already strong in the PoC, and the four staged wave of fixes that take us from PoC to a production-shaped MVP.