Skip to content

Identity

Identity

Cbox Billing does not own a user table for its operators. It authenticates them against a running Cbox ID instance as a standard OIDC relying party, and it declares its own roles and permissions to Cbox ID so they can be assigned centrally. Identity and role assignment live in Cbox ID; this app owns what a role means and enforces it.

In this section

Page What
OIDC login The authorization-code + PKCE sign-in flow, discovery, demo mode, and logout.
Federated RBAC manifest The roles/permissions the app declares in code and publishes with cbox-id:publish-manifest.
Org-level entitlements One billing account per identity organization, enforced on the hot path — not by inflating tokens.

The division of ownership

Concern Owned by
Users, credentials, MFA, passkeys, sessions Cbox ID
Which user holds which role Cbox ID (assignment)
What a role/permission means Cbox Billing (this app)
Enforcing entitlements per organization Cbox Billing, on the hot path

The client library

The OIDC client and manifest publisher come from cboxdk/laravel-id-client. The app wires it in AppServiceProvider (the IdentityProvider binding) and configures it through config/services.phpcbox_id and config/cbox-id-client.php.