Dec 02, 2019 06:01 PM|bruce (sqlwork.com)|LINK
the authorization attribute by default, just say not authorized, when always redirect to the login process (in your case a 401). to get the behavior your want, if the user is authenticated, but fails authorization, this is typically treated as a forbidden
error (403). This behavior has to be enabled in webapi. in asp.net core, this is enabled via a policy.