fix: prevent rootpath duplication in OIDC redirect URLs, fixes #21857 #20790 #12195

[Diasker]

Fix rootPath duplication in OIDC callback URLs

Fixes #21857
Fixes #20790
Fixes #12195

Checklist

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note)
• The title of the PR conforms to the Toolchain Guide
• I've included "Fixes [ISSUE #]" in the description to automatically close the associated issues
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them (N/A - this is a bug fix)
• Does this PR require documentation updates? (No)
• I've updated documentation as required by this PR (N/A - no documentation updates needed)
• I have signed off all my commits as required by DCO
• I have written unit tests for my change
• My build is green
• My new feature complies with the feature status guidelines (N/A - this is a bug fix)
• I have added a brief description of why this PR is necessary and what this PR solves
• Optional. My organization is added to USERS.md
• Optional. For bug fixes, this fix should be cherry-picked into v2.8, v2.9, and v2.10 releases as it affects OIDC authentication functionality

Problem Description

When ArgoCD is configured with a rootPath, there is an issue where the rootPath appears duplicated in OIDC authentication callback URLs. For example, when rootPath is set to /argocd, the callback URL becomes https://example.com/argocd/argocd/..., causing authentication to fail and preventing users from successfully logging in.

Note that the /argocd segment appears twice in the URL. This causes the authentication callback to fail, preventing users from successfully logging in.

This issue has been reported in multiple tickets:

• ArgoCD Helmchart login page loads normally but the applications shows blank colored page #21857
• Base path KO during login phase #20790
• ArgoCD : Redirect loop UI #12195

Root Cause Analysis

After reviewing the code, I identified two functions in server.go that contribute to this issue:

1. withRootPath function: When rootPath is empty, it still creates an http.ServeMux and processes the path, instead of directly returning the original handler.

2. newRedirectServer function: When constructing the server address and handling redirect URLs, it doesn't properly handle the empty rootPath case, which can lead to rootPath being added multiple times in certain scenarios.

Fix Implementation

I've made the following changes to server.go:

1. Modified the withRootPath function to add handling for empty rootPath.
2. Modified the newRedirectServer function to improve address construction logic.
   These changes ensure that rootPath is handled correctly in URL processing, preventing the path duplication issue.

Testing Validation

I've validated the fix through the following methods:

1. Unit Testing:

   • I've added unit tests in server/rootpath_test.go to verify the fix.
   • Tests cover scenarios with and without rootPath, as well as cases with rootPath duplication.
   • All tests pass, confirming the effectiveness of the fix.

   Here are the test results:

   === RUN   TestWithRootPathEmptyRootPath
   --- PASS: TestWithRootPathEmptyRootPath (0.00s)
   === RUN   TestWithRootPathNonEmptyRootPath
   --- PASS: TestWithRootPathNonEmptyRootPath (0.00s)
   === RUN   TestNewRedirectServerEmptyRootPath
   --- PASS: TestNewRedirectServerEmptyRootPath (0.00s)
   === RUN   TestNewRedirectServerNonEmptyRootPath
   --- PASS: TestNewRedirectServerNonEmptyRootPath (0.00s)
   === RUN   TestNewRedirectServerRootPathDuplication
   --- PASS: TestNewRedirectServerRootPathDuplication (0.00s)
   PASS
   

   The key test TestNewRedirectServerRootPathDuplication verifies that when a request path already contains the rootPath (e.g., /argocd/applications), the redirect URL correctly becomes https://example.com:8080/argocd/applications instead of the duplicated https://example.com:8080/argocd/argocd/applications.

2. Building ArgoCD Image:

   • Successfully built an ArgoCD image with the fix (available at docker.io/fuckery/argocd:rootpath-fix)
   • The build process completed without any issues

3. Deployment Testing:

   • Deployed an ArgoCD instance with the fix, configured with rootPath: /argocd
   • Verified that the UI is accessible
   • Verified that the OIDC login flow works correctly
   • Verified that the redirect URL after login does not contain duplicated rootPath

4. Comparison Testing:

   • Compared behavior before and after the fix
   • Before: Redirect URL contained duplicated rootPath (/argocd/argocd/)
   • After: Redirect URL is correct, without duplicated rootPath (/argocd/)

Impact Scope

This fix only affects ArgoCD instances configured with a rootPath parameter, particularly when using OIDC authentication. The fix does not impact other functionality or configurations.

Summary

This fix resolves the rootPath duplication issue in ArgoCD, allowing ArgoCD instances configured with rootPath to properly use OIDC authentication. The fix is minimal and focused, and has been validated through actual deployment testing.

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (master@75cb7fc). Learn more about missing BASE report.
⚠️ Report is 702 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #22254   +/-   ##
=========================================
  Coverage          ?   55.82%           
=========================================
  Files             ?      342           
  Lines             ?    57231           
  Branches          ?        0           
=========================================
  Hits              ?    31952           
  Misses            ?    22636           
  Partials          ?     2643           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[andrii-korotkov-verkada]

Just use strings.Trim(...)

[andrii-korotkov-verkada]

strings.Trim(...)

[andrii-korotkov-verkada]

Maybe modify how target is updated instead? req.URL.Path modification may bring req in the inconsistent state.

[Diasker]

Thank you for your review and suggestions! I have made changes based on your feedback!

[Diasker]

Hi, I have same problem. I am using helmchart deploy

Deployed Chart version: 7.8.22 Deployed App version: v2.14.9

in 2.14.9 version, Since the login phase is ok, after that the root path is duplicated.

server.basehref: /argocd server.rootpath: '/argocd'

but it's redirecting after login https://localhost/argocd/argocd/applications

Hi there. As you see now, the reviewers might be busy and haven’t had time to merge the fix for this yet.

In the meantime, you can try applying the changes from my PR (if applicable) directly to your setup, or you can test the pre-built image I’ve shared: fuckery/argocd:rootpath-fix. This image includes the fix for the root path duplication issue.

[agaudreault]

LGTM

[MoShaaban13]

Hello is this applied on the latest docker image or just on this fuckery/argocd ?

[Diasker]

Hello is this applied on the latest docker image or just on this fuckery/argocd ?

Sorry, I'm not sure about that. But I think they haven't built the latest image just now after merging my PR.

[PandelisZ]

For those also browsing:

Key highlights
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    # If you encounter a redirect loop or are getting a 307 response code
    # then you need to force the nginx ingress to connect to the backend using HTTPS.
    #
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: nginx
  rules:
  - host: argocd.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              name: https
  tls:
  - hosts:
    - argocd.example.com
    secretName: argocd-server-tls # as expected by argocd-server