I have this strange situation and not sure what exactly is happening.
I have a content api which makes use of Oauth. We have visitor groups set up in applicaiton based on incoming claims. Everything is fine as long as I have Authenticated option checked in permissions.
If I remove the authentictated option and apply the visitor groups on the page, I start getting access denied. This is what I have in the config file
<add name="contentapiread" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="Authenticated" mode="Any" />
Below is the code setup.
I have also verified that right claims are coming back for visitor group to apply because same thing works directly in the application. Issue seems to be only when trying to fetch a page through content api.
Any inputs is much appreciated.
Found this eventually that the config forces Authenticated Roles to be mandatory on content to be accessed.
SetRequiredRoles(null) was the solution to have it working. Just in case if anyone needs.