Authentication and guest

I’m trying to create an API which allows authenticated user and guest (with some conditions).
The behavior function is defined as follows (psuedo code):

function behaviors() {
return [
    'access'    => [
        'class' => AccessControl::className(),
        'rules' => [
            [
                'allow' => true,
                'roles' => ['?'],
                'matchCallback' => function($rule, $action)  {
                    return someCondition();
                },
            ],
            [
                'allow' => true,
                'roles' => ['@'],
            ]
        ],
    ],
    'auth' => [
        'class' => CompositeAuth::className(),
        'authMethods' => [
            HttpBasicAuth::className(),
            SSOAuth::className(), // customized auth to check SSO login
        ],
    ],
]
}

If there’s just the ‘access’ in behaviors function, it works as intended. But when ‘auth’ is added to behaviors, it returns 401.
What should be the correct way to allow Guest access?