Middleware Being Used on Route Where It Isn't Specified?

I have the following router:

            entryPoints = ["https"]
            rule = "Host(`ipam.example.com`)"
            service = "ipam"

and this is the SSO middleware I used for all other routes:

            address = "https://auth.example.com/api/verify?rd=https://auth.example.com"
            authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name"]
            trustForwardHeader = true

Despite the fact that the middleware isn't specified on the route, the following happens:

Is there a misconfiguration somewhere in there causing non-browser requests to use the middleware?