Authorization is depending on routing. If you configure authorization per route it is important that the correct route is matched. Otherwise you’ll end up with users having access to pages/endpoints they shouldn’t have access to. Also, attribute routing takes precedence over conventional routing and thus adding a route attribute may bypass the configured authorization.

Configuring DefaultPolicy and/or FallbackPolicy can set a global authorization policy so that you’ll have to add explicit AllowAnonymous attributes.

As a side note, using the defaults parameter in MapAreaControllerRoute() lets you use type safe parameters by calling nameof() instead of setting the defaults in the pattern parameter. Create an extension method or similar to remove the “Controller” part of the controller names.