Authentication is one of the few systems where every request matters and every trust boundary leaks revenue or safety when it slips. Auth Fly is the construction kit we wanted to deploy ourselves: small enough to read end to end, opinionated about contracts, and free of background channels we did not sign up for.
What we mean by “own your IdP”
- The IdP runs on your origin. SAML metadata, OIDC discovery, JWKS — all served from your domain.
- No telemetry. The binary does not phone home, does not pull update manifests, does not ship usage events.
- Configuration is yours. SP allowlists, OIDC client allowlists, signing keys — local files and environment variables, not vendor consoles.
Why not pick an existing platform
There are excellent open IdPs. We chose to build because we wanted the surface to stay narrow on purpose: dual-protocol bridge, hosted UI, adaptive SDKs. Smaller surface, faster audit, fewer moving parts in incident response.
What ships in PoC
- SAML 2.0 IdP with one signed session shared with the OIDC provider.
- OIDC authorization-code flow, JWKS, UserInfo, Discovery.
- Hosted UI on Go + templ + UI8Kit, with embedded English and Russian.
- Hanko as the credential backend behind a provider-agnostic contract.
What is on the runway
MVP is hardening: PKCE, SAML anti-replay, key rotation, security headers, structured audit logs. The full sequence is published as a pre-flight checklist — no surprises, no hidden roadmap.
