blogs/DotnetPbacAbacRbac
View on GitHub
C#

Auth Playground — RBAC, ABAC & PBAC in .NET 10

A production-style learning repository that teaches Role-Based (RBAC), Attribute-Based (ABAC), and Policy-Based (PBAC) access control in ASP.NET Core, with a real OIDC/OAuth2 identity service, protected APIs, Swagger testing, Docker Compose, and comprehensive documentation.

What You'll Learn

  • RBAC: Role-based endpoint protection ([Authorize(Roles = "Admin")])
  • ABAC: Attribute-based resource access (department, region, tenant, clearance level)
  • PBAC: Policy-based composite rules that wrap RBAC + ABAC
  • OAuth2/OIDC flows: Authorization Code + PKCE, Client Credentials
  • Resource-based authorization: Imperative checks with IAuthorizationService
  • Custom authorization handlers: The core of fine-grained access control in .NET
  • Multi-tenant isolation: Tenant-based ABAC filtering
  • Service-to-service auth: Client Credentials with scope-based policies

Quick Start

bash
docker compose up --build
ServiceURL
Swagger UIhttps://localhost:5001/swagger
APIhttps://localhost:5001
Identity (OIDC)https://localhost:5000
OIDC Discoveryhttps://localhost:5000/.well-known/openid-configuration

Test Accounts

UserEmailPasswordRoleDepartment
Adminadmin@authplayground.devAdmin123!AdminIT
Managermanager@authplayground.devManager123!ManagerEngineering
Employeeemployee@authplayground.devEmployee123!EmployeeEngineering
Auditorauditor@authplayground.devAuditor123!AuditorCompliance
Regional Mgrregional@authplayground.devRegional123!RegionalManagerEngineering
Tenant 2tenant2user@authplayground.devTenant2User123!EmployeeEngineering

Architecture

text
┌─────────────┐     ┌──────────────────┐     ┌────────────┐
│ Swagger UI  │────▶│  Identity Service │     │ PostgreSQL │
│ (PKCE flow) │     │  (OpenIddict)     │────▶│            │
└─────┬───────┘     └──────────────────┘     └────────────┘
      │ Bearer Token         ▲
      ▼                      │ Token Validation
┌─────────────┐              │
│ API Service │──────────────┘
│ (RBAC/ABAC/ │
│  PBAC)      │────▶ PostgreSQL
└─────────────┘

Project Structure

ProjectPurpose
AuthPlayground.DomainCore entities, enums, interfaces
AuthPlayground.ContractsShared DTOs, claim/role/policy constants
AuthPlayground.ApplicationAuthorization handlers, business services
AuthPlayground.InfrastructureEF Core, PostgreSQL repositories
AuthPlayground.IdentityOIDC/OAuth2 provider (OpenIddict)
AuthPlayground.ApiProtected endpoints, Swagger, auth config

Authorization Models Demonstrated

RBAC (Role-Based)

csharp
// Only Admin can manage policies
.RequireAuthorization(AppPolicies.RequireAdmin)

ABAC (Attribute-Based)

csharp
// Handler checks: user.department == document.department
public class SameDepartmentHandler : AuthorizationHandler<SameDepartmentRequirement, Document>

PBAC (Policy-Based, composing RBAC + ABAC)

csharp
// "CanApproveDocument" = Manager role + same department + pending status
.AddPolicy("CanApproveDocument", p => p.AddRequirements(new DocumentApprovalRequirement()))

Documentation

Detailed docs with Mermaid diagrams in /docs:

DocumentTopic
Authentication vs AuthorizationCore concepts
RBACRole-Based Access Control
ABACAttribute-Based Access Control
PBACPolicy-Based Access Control
RBAC vs ABAC vs PBACComparison & decision guide
OIDC & OAuth2Protocol overview
Authorization Code FlowUser authentication flow
PKCE FlowPublic client security
Client CredentialsMachine-to-machine flow
Claims, Roles, Permissions, PoliciesConcept relationships
.NET AuthorizationImplementation guide
Custom HandlersHandler patterns
Resource-Based AuthImperative authorization
Swagger SecurityTesting with Swagger
ArchitectureSystem design
Running the ProjectSetup & exercises
Testing StrategyTest patterns
Staff-Level CheatsheetQuick reference

Tech Stack

  • .NET 10, ASP.NET Core Minimal APIs
  • OpenIddict (OIDC/OAuth2)
  • ASP.NET Core Identity
  • Entity Framework Core + PostgreSQL
  • Swagger/OpenAPI (Swashbuckle)
  • xUnit + Moq (testing)
  • Docker Compose

License

MIT — use freely for learning and reference.

← Back to all blogs