Authorize and AllowAnonymous meta data give different behaviour when they are applied on the controller

Question

When i apply this code with Authorize on controller method and AllowAnonymous on one of the action methods inside then all of the action method will be authorized except the one that have AllowAnonymous meta data on it. obviously the action method meta data is overriding the meta data from the controller method

[Authorize]
public class HomeController : Controller
{

    public ActionResult About()
    {
        ViewBag.Message = "Your application description page.";

        return View();
    }

    [AllowAnonymous]
    public string Method1()
    {
        return "The secure method";
    }

}

But when i try the opposite with [AllowAnonymous] on the controller method and with [Authorize] meta data on the action method then the action method with the [Authorize] will not be AUTHORIZED

Why the behaviour is different?

[AllowAnonymous]
public class HomeController : Controller
{

    public ActionResult About()
    {
        ViewBag.Message = "Your application description page.";

        return View();
    }

    [Authorize]
    public string Method1()
    {
        return "The secure method";
    }

}

Answer 1

The [AllowAnonymous] attribute is specifically meant to whitelist a controller or action on a controller. It is intended to be used when you want to literally bypass authorization to allow anonymous access to a resource when your resource is restricted by the [Authorize] attribute applied to either a controller or globally for the entire web application.

this is described here in the Micosoft docs for the AllowAnonymousAttribute:

Specifies that actions and controllers are skipped by AuthorizeAttribute during authorization.

This functionality is also noted on the docs for the AuthorizeAttribute under the Remarks section:

You can declare multiple AuthorizeAttribute per action. You can also use AllowAnonymousAttribute to disable authorization for a specific action.

So in both of your coding examples in your question your action Method1 has the action attribute applied and the controller inherited attribute applied, so both of your examples are exactly the same as doing this:

[AllowAnonymous]
[Authorize]
public string Method1()
{
    return "The secure method";
}

Just as stated in the Microsoft docs, just having [AllowAnonymous] on that action specifies that this action is skipped by the AuthorizeAttribute, even though the Authorize attribute is declared on the action as well. This is due to what I was stating earlier that the intent for the [AllowAnonymous] attribute is for whitelisting a resource and bypassing authorization, so in both of your coding examples the [AllowAnonymous] attribute is working exactly as intended by allowing anonymous access to your action even if it was declared to be authorized as well.