This question is mostly a duplicate of this one, but that was asked and answered in 2013 and the accepted answer recommends using MADAM, a project which hasn't been updated since 2012 and which I'm therefore not keen to implement in my solution.
I have an ASP.NET Web Api 2 project which includes an endpoint that returns an iCalendar:
[Authorize(Roles = "Staff")]
[HttpGet]
[Route("ical/{staffUsername}")]
public HttpResponseMessage GetStaffICalendar(string staffUsername)
{
string calendarString = ICalendarService.GetICalendarForStaffMember(staffUsername);
HttpResponseMessage response = Request.CreateResponse(HttpStatusCode.OK);
response.Content = new StringContent(calendarString, System.Text.Encoding.UTF8, "text/calendar");
return response;
}
This works just fine without the Authorize attribute on the method - I'm able to open and subscribe to the calendar in Outlook 2016 - but I want users subscribing to the iCalendar to, at the very least, belong to the "Staff" role. Ideally it'd only work if the username passed in the URL matched the username of the authenticated user (i.e. you could only subscribe to your own iCalendar), but restricting authorization to people in the "Staff" role would be sufficient.
With the Authorization attribute decorating the method, if I attempt to add the iCalendar to Outlook I get prompted for my username and password (good) but whatever variation of my username I enter (username only, domain\username, username@domain) authentication always fails (bad). This happens even if I remove the role from the attribute - i.e. [Authorize] instead of [Authorize(Roles = "Staff")].
How can I implement authentication for my Web Api 2 endpoint that will work with Outlook?
