I have an ASP.NET CORE application hosted in IIS. The application uses OAUTH/OIDC for authenticating API requests. I have observed that if neither Anonymous nor Windows Authentication is activated then requests are rejected by IIS and do not make it through to the application (even though to the Authentication Header is set for Bearer). If I enable Anonymous Authentication then the requests pass through to the application for authentication according to OAUTH/OIDC.
I believe that in the case of a classic ASP.NET application hosted in IIS than even though both Anonymous and Windows authentication were NOT enabled, requests still pass through to the application.
Can the community please confirm this - must I activate Anonymous mode in IIS or am I missing some other configuration?
Our IT admin policy is to not allow Anonymous Authentication in IIS (this is a problem as we migrate our ASP.NET Core applications to OIDC and away from Windows Authentication)
