My card is rendering in Outlook but HTTP action does not appear to call working Web API endpoint

[t0mgerman]

I have a card with an approval action button like this:

{
    "method": "POST",
    "url": "https://<myURL>.zapto.org:5001/api/actions/approve",
    "headers": [
        {
            "name": "Authorization",
            "value": ""
        },
        {
            "name": "Content-Type",
            "value": "application/json"
        }
    ],
    "body": "{ \"BookingId\" : \"103\" }",
    "title": "Approve",
    "isPrimary": false,
    "type": "Action.Http",
    "style": "positive"
},

I have the URL registered in the Email Developer Dashboard, and I am testing sending self-to-self.

The application that should be getting hit is an ASP .NET Core app using Microsoft Identity / Azure AD, so I wasn't sure whether I needed to be setting the Authorization header to a blank string there or not... I figured that my application actually uses the Authorization header for Auth to my own site/app, so it would be better to receive any identity info from Outlook via the alternative Action-Authorization header instead. I've got code ready-to-go for decoding that token/claims object once I receive it, and verifying that the actor clicking the button is who I expect it to be - but at the moment, the endpoint is just never hit at all.

This endpoint allows anonymous access and is configured for CORS, I can send a dummy request to this endpoint and hit my breakpoints just fine - so I know it's working in terms of my Web API...

My problem is that Outlook and Outlook for Web don't seem to trigger it. Am I doing something wrong? When the action button is pressed I can see this payload and response in developer tools:

Payload:

{
    "httpAction": {
        "type": "Action.Http",
        "url": "https://<MY URL>.zapto.org:5001/api/actions/approve",
        "body": "{ \"BookingId\" : \"103\" }",
        "method": "POST",
        "headers": [
            {
                "name": "Authorization"
            },
            {
                "name": "Content-Type",
                "value": "application/json"
            }
        ]
    },
    "inputParameters": [],
    "connectorSenderGuid": "5695b9fb-9a64-48cc-873a-425bd346c2e2",
    "SmtpAddressesSerialized": "{\"Sender\":\"<MY EMAIL HERE>\",\"To\":[\"<MY EMAIL HERE>\"]}",
    "adaptiveCardSignature": "<sig hash here>",
    "clientTelemetry": {
        "eventName": "SingleClickHttpPostActionClicked",
        "clientType": "WAC_Outlook_React",
        "clientVersion": "16.2022.1124.00708",
        "sessionId": "91d3d9ba-9191-46b0-bc6a-4d6b0bfd5b92",
        "physicalRing": "WW",
        "UserInfo.Id": "10032000C133A757",
        "UserInfo.PrimaryIdentityHash": "340f6603-919a-40db-972d-7dbc543324d9",
        "tenantGuid": "<OrgTenantID>",
        "clientId": "FC52790992B54F28A5E12B958140AE63",
        "correlationVector": "GMQw4hjRjFRP3+RxYsW6cy.553",
        "messageId": "AAMkAGExYmFlZTgyLTBmYmYtNDA4ZC1hMTIwLTZhMjQyZjdkZjJlMQBGAAAAAAC2tMtUp43VTKKkfW854X/yBwA5nsbdtrxnRqETUmxc9618AAAACAvTAADKLywjeJH4QaWtJN+SqVPqAAHvFoR7AAA=",
        "mailboxType": "UserMailbox",
        "conversationId": "AAQkAGExYmFlZTgyLTBmYmYtNDA4ZC1hMTIwLTZhMjQyZjdkZjJlMQAQAG5qkZ8fdzBKgYw13nnQilo=",
        "messageType": "adaptiveCard",
        "connectorSenderGuid": "5695b9fb-9a64-48cc-873a-425bd346c2e2",
        "oamAppName": "<MyAppName>",
        "forest": "GBRP265",
        "messageCardContext": {
            "correlationId": "9678f595-f67c-4bdd-b05d-f25f2d8de869",
            "messageCardSource": "AdaptiveCard",
            "oamAppName": "<MyAppName>",
            "messageCardStampingSource": "TEE",
            "isBodyHidden": false,
            "stampingCorrelationVector": "rpWlq8CaH0Kb6+PiuV0TRg.1"
        }
    },
    "adaptiveCardHash": "iHNV7afMK+0+IrH8GoR/PQa6f9U9965mKSSwKvpTbIM="
}

Response

{
    "refreshCardSerialized": null,
    "refreshCardSignature": null,
    "status": "Failed",
    "displayMessage": "Could not complete the requested action. Please try again later.",
    "hideCard": false,
    "removeCard": false,
    "showOriginalCard": false,
    "isEphemeralRefreshCard": false,
    "cardUpdates": null,
    "authenticationUrl": null,
    "errors": [
        {
            "httpCode": 0,
            "httpStatusCode": null,
            "claims": null,
            "url": null,
            "message": "Could not complete the requested action. Please try again later."
        }
    ]
}

In the Outlook Actionable Message Debugger I can see this additional information under diagnostics:

{
   "CardEnabledForMessage": true,
   "ClientName": "OutlookWebApp",
   "ClientVersion": "20221124007.08",
   "InternetMessageId": "<MESSAGE ID HERE>",
   "EntityExtractionSuccess": true,
   "SignedAdaptiveCard": true,
   "MessageCardPayload": {
      "found": false,
      "type": null
   },
   "AuthHeader": {
      "results": "spf=fail (sender IP is <MY IP>) smtp.mailfrom=<OUR DOMAIN>; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=<OUR DOMAIN>;",
      "authAs": "Internal"
   }
}

Any help most appreciated!

Tom