cboxdk / laravel-id
Cbox ID — self-hostable, Laravel-native identity platform (framework). AuthN, SSO/SAML, SCIM, OAuth/OIDC provider, RBAC, billing-fed entitlements, tamper-evident audit.
v0.4.0
2026-07-13 21:15 UTC
Requires
- php: ^8.4
- ext-openssl: *
- ext-sodium: *
- cboxdk/laravel-ssrf: ^1.0
- firebase/php-jwt: ^7.0
- illuminate/auth: ^12.0 || ^13.0
- illuminate/contracts: ^12.0 || ^13.0
- illuminate/database: ^12.0 || ^13.0
- illuminate/support: ^12.0 || ^13.0
- onelogin/php-saml: ^4.0
- spomky-labs/cbor-php: ^3.0
Requires (Dev)
- larastan/larastan: ^3.0
- laravel/pint: ^1.18
- orchestra/testbench: ^10.0 || ^11.0
- pestphp/pest: ^3.5 || ^4.0
README
cboxdk/laravel-id — a self-hostable, Laravel-native identity platform. Central login,
enterprise SSO, directory sync, RBAC, billing-driven entitlements and a tamper-evident audit
trail — all interface-driven, deny-by-default, and verified (tests + PHPStan level max +
composer audit) before it ships.
UI-free and domain-free: every capability sits behind a contract you bind, mock, extend or replace.
Install
composer require cboxdk/laravel-id php -r "echo base64_encode(random_bytes(32)).PHP_EOL;" # set as CBOX_ID_CRYPTO_KEY php artisan migrate
A taste
use Cbox\Id\Organization\Contracts\Organizations; use Cbox\Id\Organization\ValueObjects\NewOrganization; use Cbox\Id\Identity\Contracts\Subjects; $org = app(Organizations::class)->create(new NewOrganization('Northwind', 'northwind')); $user = app(Subjects::class)->create('ida@northwind.test', 'Ida', password: 's3cret');
Modules
| Layer | Modules |
|---|---|
| Kernels | Tenancy · Crypto · Audit · Events · Authorization |
| Domain | Organization · Identity · AccessControl · Directory (SCIM) · Federation (SSO) · Webhooks · AuditQuery |
Documentation
Full docs live in docs/:
- Requirements · Installation · Quickstart
- Architecture & patterns
- Cookbook
- Extending & customizing
- Testing
- Security ·
SECURITY.md - Standards & conformance — RFCs implemented (OAuth/OIDC/SCIM/SAML/MCP)
- Compliance mapping — SOC 2 / ISO 27001 / NIS2 / GDPR / HIPAA / PCI-DSS · Threat model
License
MIT. Private during internal dogfooding; public release when ready.