WebProxy doesn't initialize credentials from the Proxy URL UserInfo

[itbencn]

Description

In #123217, the original issue was that HttpClient did not support the socks5h proxy scheme, which was fixed via PR #123218. However, during the follow-up discussion, a new issue was discovered:

When proxy credentials are embedded directly in the WebProxy URL (e.g. socks5://username:password@ip:port), the SOCKS server returns error code 0x02 (connection not allowed). In contrast, setting credentials separately via handler.Proxy.Credentials = new NetworkCredential(...) works correctly.

Root issue: WebProxy does not appear to correctly extract and pass the credentials embedded in a socks5://username:password@ip:port URL to the SOCKS5 authentication flow, resulting in proxy authentication failure.

Reproduction Steps

Fails — credentials embedded in URL:

using var handler = new SocketsHttpHandler();
handler.Proxy = new WebProxy("socks5://username:password@ip:port");
using HttpClient client = new HttpClient(handler);
var response = await client.GetStringAsync("http://ifconfig.me/ip");

Works — credentials set via Credentials property:

using var handler = new SocketsHttpHandler();
handler.Proxy = new WebProxy("socks5://ip:port");
handler.Proxy.Credentials = new NetworkCredential("username", "password");
using HttpClient client = new HttpClient(handler);
var response = await client.GetStringAsync("http://ifconfig.me/ip");

Expected behavior

Both approaches should complete the request successfully. WebProxy should correctly parse the username and password embedded in the URL and use them for SOCKS5 proxy authentication.

Actual behavior

When credentials are embedded in the URL, an exception is thrown:

An error occurred while establishing a connection to the proxy tunnel.
SOCKS server failed to connect to the destination. Received error code 0x02.

Setting credentials via the Credentials property works as expected.

Regression?

No response

Known Workarounds

SOCKS5 error code 0x02 means "connection not allowed by ruleset", which typically indicates authentication failure or insufficient permissions. Given that setting credentials via the Credentials property works correctly, this confirms the issue lies in how WebProxy parses and passes credentials embedded in the URL.

Possible root causes:

1. The WebProxy constructor does not extract username:password from socks5://username:password@ip:port into its Credentials property
2. Or the SOCKS5 connection handler does not check the userinfo embedded in the WebProxy URL when retrieving proxy credentials

Configuration

No response

Other information

It is worth noting that in widely-used third-party libraries such as libcurl, when a connection is configured via a full proxy URI (e.g. socks5://user:pass@host:port), the library automatically parses the userinfo component from the URI and uses it for proxy authentication. This is standard practice across the industry. The .NET WebProxy does not follow this convention when handling SOCKS5 proxy URIs, which is inconsistent with developer expectations.

[dotnet-policy-service]

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.