Cbox Billing
Identity
Identity
Cbox Billing does not own a user table for its operators. It authenticates them against a running Cbox ID instance as a standard OIDC relying party, and it declares its own roles and permissions to Cbox ID so they can be assigned centrally. Identity and role assignment live in Cbox ID; this app owns what a role means and enforces it.
In this section
| Page | What |
|---|---|
| OIDC login | The authorization-code + PKCE sign-in flow, discovery, demo mode, and logout. |
| Federated RBAC manifest | The roles/permissions the app declares in code and publishes with cbox-id:publish-manifest. |
| Org-level entitlements | One billing account per identity organization, enforced on the hot path — not by inflating tokens. |
The division of ownership
| Concern | Owned by |
|---|---|
| Users, credentials, MFA, passkeys, sessions | Cbox ID |
| Which user holds which role | Cbox ID (assignment) |
| What a role/permission means | Cbox Billing (this app) |
| Enforcing entitlements per organization | Cbox Billing, on the hot path |
The client library
The OIDC client and manifest publisher come from
cboxdk/laravel-id-client. The app wires it
in AppServiceProvider (the IdentityProvider binding) and configures it through
config/services.php → cbox_id and config/cbox-id-client.php.
Related documentation
- Configuration → Environment — the
CBOX_ID_*keys. - Identity client package: https://github.com/cboxdk/laravel-id