How to exclude authentication on a controller in ASP.NET Core?

Imageine you have an application with enabled authentication. Most easier way to enable AAD in your application is using a connected service.

Once you activate the authentication, the access to application is only via log-on possible. This is ok, but if you have some REST service (controller), which does not need the authentication, you might get confused when looking for a solution.

Typically, when implementing the REST APIs (not a ASP.NET application) the authorize attribute is used on operations and controllers:

[Authorize]

In ASP.NET Core applications this attribute is even not necessary. The authentication is by default globally activated.

To exclude the controller from authentication process you can use

the allow anonymous attribute:

 [AllowAnonymous]
 public class AnonymousController : ControllerBase
 {
 }
 
 [Authorize]
 public class RequiresAuthController1 : ControllerBase
 {
 }
 
 // Authorized activated by default.
 public class RequiresAuthController2 : ControllerBase
 {
 }