Changing KnownNetworks.Clear() to KnownIPNetworks.Clear() breaks forwarded headers

[jamesgurung]

I am using this code very early in the pipeline to forward headers when running my container in Azure App Service. Since updating to .NET 10 RC1, it produces an ASPDEPR005 warning "Obsolete, please use ForwardedHeadersOptions.KnownIPNetworks instead" as announced.

builder.Services.Configure<ForwardedHeadersOptions>(o =>
{
  o.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedFor;
  o.KnownNetworks.Clear();
  o.KnownProxies.Clear();
});

However, if I follow the instructions in the warning and swap o.KnownNetworks.Clear() to o.KnownIPNetworks.Clear():

builder.Services.Configure<ForwardedHeadersOptions>(o =>
{
  o.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedFor;
  o.KnownIPNetworks.Clear();
  o.KnownProxies.Clear();
});

Then this breaks my OIDC auth flow because the callback URL is incorrectly set as http://mywebsite.com/signin-microsoft instead of https://mywebsite.com/signin-microsoft (note HTTP scheme).

Here is the auth code:

builder.Services
  .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
  .AddCookie()
  .AddOpenIdConnect("Microsoft", o =>
  {
    o.ClientId = builder.Configuration["MicrosoftClientId"];
    o.ClientSecret = builder.Configuration["MicrosoftClientSecret"];
    o.Authority = "https://login.microsoftonline.com/organizations/v2.0";
    o.CallbackPath = "/signin-microsoft";
    o.ResponseType = OpenIdConnectResponseType.Code;
  });

.NET version: 10.0.100-rc.1.25451.107

[martinalderson]

also seeing this. in preview7 clearing knownnetworks and knownproxies works.

in rc1, this no longer works. changing it to KnownIPNetworks.Clear() also doesn't work, leading to the exact same problem as op.

fwiw i think this should have been listed in the release notes. loads of our e2e tests started failing and it was difficult to figure what had went wrong.

[joperezr]

Thanks for the report @jamesgurung. Putting this on our RC2 milestone to take a further look.

[sebastienros]

@jamesgurung could you try to repro the issue while using KnownNetworks.Clear() and ignoring the obsolete warning/error? I would like to confirm that it's actually coming from a broken behavior instead of just switching methods as @martinalderson is suggesting.

These types are aliases and this should not be different. I'll continue investigating in the meantime.

[sebastienros]

I think I understand the breaking change that happened during the obsoletion. This might be mitigated by clearing both collections (and ignoring the diagnostic with #pragma warning disable ASPDEPR005).

[martinalderson]

yes i can confirm that clearing both works! @sebastienros

[jamesgurung]

I think I understand the breaking change that happened during the obsoletion. This might be mitigated by clearing both collections (and ignoring the diagnostic with #pragma warning disable ASPDEPR005).

Yes sorry, I should have said; this is exactly what I'm doing and it works.

[markhotchkiss]

Hello everyone :) I appear to have the same issue as the OP. I have almost identical code (below). I have tried changing from KnownNetworks to KnownIPNetworks and this doesnt work, my app still redirects to http instead of https. I am running my app in Azure App Container for reference.

builder.Services.Configure<ForwardedHeadersOptions>(o =>
            {
                o.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedFor;
#pragma warning disable ASPDEPR005
                o.KnownNetworks.Clear();
                o.KnownProxies.Clear();
            });

Can you clarify what you mean by

I think I understand the breaking change that happened during the obsoletion. This might be mitigated by clearing both collections (and ignoring the diagnostic with #pragma warning disable ASPDEPR005).

[jamesgurung]

@markhotchkiss Clearing both KnownNetworks and KnownIPNetworks seems to work:

builder.Services.Configure<ForwardedHeadersOptions>(o =>
{
  o.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedFor;
#pragma warning disable ASPDEPR005
  o.KnownNetworks.Clear();
#pragma warning restore ASPDEPR005
  o.KnownIPNetworks.Clear();
  o.KnownProxies.Clear();
});

[sebastienros]

I created a PR to fix this issue.
#63658