Without RequireAuthenticatedUser() in the policy, an unauthenticated
request reaches PermissionVerbHandler, finds no roles, and fails the
requirement — which ASP.NET classifies as FailedRequirements and turns
into a 403 Forbid. The OIDC acceptance tests expect 401 Challenge
(Should_reject_requests_without_bearer_token, ..._with_invalid/expired
/wrong_audience/wrong_issuer). Adding the auth requirement first ensures
the failure is classified as FailedAuthentication when no valid
principal is present.

The Primary, Audit, and Monitoring acceptance-test runners called
AddServiceControlAuthentication but not AddServiceControlAuthorization,
while production RunCommand wires both. Without the authorization
provider, ASP.NET cannot resolve the policy names emitted by the
Permissions catalogue and any request to a controller carrying
[Authorize(Policy = Permissions.X)] throws "AuthorizationPolicy named
'...' was not found" — which breaks the test hosts and times out the
audit acceptance tests that exercise authorized endpoints.

Should_accept_requests_with_valid_bearer_token previously passed in CI
by accident: AddServiceControlAuthorization was missing from the test
runners, so the policy provider could not resolve the [Authorize] policy
name and threw, returning 500 — which the assertion "not 401 and not
403" accepted. With the policy provider now wired up, a valid token
without any role claim correctly fails the permission requirement and
returns 403. The test must therefore supply the canonical "roles" claim
with a value that maps to a role granting the endpoint's permission.

"reader" grants every *:*:view permission, which covers the endpoints
the three acceptance-test variants exercise (error:messages:view,
audit:message:view, monitoring:endpoint:view).

The PlatformSampleSettings approval tests in SC, Audit, and Monitoring
unit-test projects serialise the settings object and diff it against an
approved JSON snapshot. The earlier Authentication.RolesClaim addition
needs the snapshots updated to include the new property.