If you have errors during authentication it can throw exceptions. In Production these are caught by app.UseExceptionHandler("/Home/Error"); and re-executed. However, Home/Error requires Authorization and you get stuck in an infinite loop.
https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/OrganizationalAuth/Single/NoRead/Startup.cs
https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/OrganizationalAuth/Common/Controllers/HomeController.cs

@blowdart

Hmm, I wonder if it's worth overriding the authorize attribute on whatever the exception handler route is, even if you have set it.

Should we just set AllowAnonymous on the Error Action on the controller?