Pre-requisites

• I have double-checked my configuration
• I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
• I have searched existing issues and could not find a match for this bug
• I'd like to contribute the fix myself (see contributing guide)

What happened? What did you expect to happen?

When using SSO Login and BASE_HREF, if a user starts with the Login path a successful login ends up in a 404 where the BASE_HREF is not taken into consideration.

Our services are behind an ingress, with the BASE_HREF configured to /[env]/[service] for each service to match the path in the ingress.
I.e. browsing the Workflows UI would be https:///test/argo-workflows.
If a user clicks the single sign-on button the auth flow ends up with a redirect to /workflows, which doesn't exist.
If I on the other hand login with a bearer token, I am redirected to /test/argo-workflows/workflows

Also, see the comments from #14668 (comment) and below.
ping @MasonM.

Version(s)

v3.7.1

Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflow that uses private images.

not needed

Logs from the workflow controller

kubectl logs -n argo deploy/workflow-controller | grep ${workflow}

Logs from in your workflow's wait container

kubectl logs -n argo -c wait -l workflows.argoproj.io/workflow=${workflow},workflow.argoproj.io/phase!=Succeeded