AuthorizeAttribute contains code that checks for the existence of AllowAnonymousAttribute, which allows holes to be punched in to an otherwise fully protected controller. However, this hard coupling makes it difficult to create additional functionality.
For an example as to why this functionality would be useful, please see this post:
I would like to be able to combine my proposed AnonymousOnlyAttribute with the functionality of AllowAnonymousAtrribute, but cannot do it without subclassing AllowAnonymousAttribute.
The ideal solution would be for me to 'implement' the empty IAllowAnonymous interface. Then, if AuthorizeAttribute checked for this interface during the skipAuthorization stage, it would allow more flexibility, and it would remove the need for me to include
both the AllowAnonymous and AnonymousOnly attributes. (Afterall, AnonymousOnly kind of assumes AllowAnonymous!)