[AllowAnonymous] Required for Succesful Authorization?

Hello all,

(I have followed (to the best of my ability) the WebAPI quickstart documentation in order to get to this point.)

I am running into an issue that seems to indicate that the [AllowAnonymous] attribute is required on the controller even when I am successfully logged in.

Without [AllowAnonymous]:

  • Non [Authorize] methods work as expected
  • [Authorize] methods redirects to sign-in, once signed in I receive a 403 even though I have the required permission

With [AllowAnonymous]:

  • Non [Authorize] methods work as expected
  • [Authorize] methods redirects to sign-in, they work as expected

Is this intended behavior? Or have I misunderstood/mis-configured something?

Appreciate any help and thank you in advance!