Dex OIDC tokens are invalid when Argo has a custom rootpath

Checklist:

[X] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
[X] I've included steps to reproduce the bug.
[X] I've pasted the output of argocd version.

Describe the bug

When Argo is using a custom --rootpath (ex: /argocd) and using Dex for SSO, OIDC tokens created on successful login are immediately marked invalid session: oidc: id token issued by a different provider ... expected /argo/api/dex got /api/dex

To Reproduce

Deploy ArgoCD with a custom rootpath. Configure SSO login using dex.config. Example:

dex.config: | 
    connectors: 
    - config:
        redirectURI: https://www.mywebsite.com/argocd/api/dex/callback
        clientID: $argo-google-oidc-client:dex.google.clientID
        clientSecret: $argo-google-oidc-client:dex.google.clientSecret
        serviceAccountFilePath: /tmp/oidc/googleAuth.json
        adminEmail: admin@mycompany.com
      type: google
      id: google
      name: Google

Upon login you will be immediately logged out.

Expected behavior

I should be able to log in normally and access my groups information from my OIDC provider.

Version

argocd: v2.3.4+ac8b7df.dirty
  BuildDate: 2022-05-22T11:53:59Z
  GitCommit: ac8b7df9467ffcc0920b826c62c4b603a7bfed24
  GitTreeState: dirty
  GoVersion: go1.18.2
  Compiler: gc
  Platform: linux/amd64

Logs argocd-dex-server logs

time="2022-05-27T19:33:55Z" level=info msg="Starting configmap/secret informers"
time="2022-05-27T19:33:55Z" level=info msg="Configmap/secret informer synced"
time="2022-05-27T19:33:55Z" level=info msg="0xc000697920 subscribed to settings updates"
time="2022-05-27T19:33:55Z" level=info msg="config issuer: https://www.mywebsite.com/argocd/api/dex"
time="2022-05-27T19:33:55Z" level=info msg="config storage: memory"
time="2022-05-27T19:33:55Z" level=info msg="config static client: Argo CD"
time="2022-05-27T19:33:55Z" level=info msg="config static client: Argo CD CLI"
time="2022-05-27T19:33:55Z" level=info msg="config connector: google"
time="2022-05-27T19:33:55Z" level=info msg="config skipping approval screen"
time="2022-05-27T19:33:55Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-05-27T19:33:55Z" level=info msg="keys expired, rotating"
time="2022-05-27T19:33:56Z" level=info msg="keys rotated, next rotation: 2022-05-28 01:33:56.011200193 +0000 UTC"
time="2022-05-27T19:33:56Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2022-05-27T19:33:56Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2022-05-27T19:33:56Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2022-05-27T19:34:54Z" level=info msg="login successful: connector \"google\", username=\"<myusername>\", preferred_username=\"\", email=\"<me>@<companydomain>\", groups=[\"cloud-ops@<companydomain>\"]"

argocd-server logs

time="2022-05-27T19:34:53Z" level=info msg="Initializing OIDC provider (issuer: https://www.mywebsite.com/argocd/api/dex)"
time="2022-05-27T19:34:53Z" level=info msg="OIDC supported scopes: [openid email groups profile offline_access]"
time="2022-05-27T19:34:53Z" level=info msg="Performing authorization_code flow login: https://www.mywebsite.com/argocd/api/dex/auth?client_id=argo-cd&redirect_uri=https%3A%2F%2Fwww.mywebsite.com%2Fargocd%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups&state=XmKBTbIvAx"
time="2022-05-27T19:34:54Z" level=info msg="Callback: /auth/callback?code=oc5tvmx4ro5vabc123t6vgm7sd&state=XmKBTbIvAx"
time="2022-05-27T19:34:54Z" level=info msg="Web login successful. Claims: {\"at_hash\":\"B7K_zpiMRj6abc123KHbTA\",\"aud\":\"argo-cd\",\"c_hash\":\"fnKa2n--av01abc123tnOmNQ\",\"email\":\"<me>@<companydomain>\",\"email_verified\":true,\"exp\":161111116494,\"groups\":[\"cloud-ops@<companydomain>\"],\"iat\":16111110094,\"iss\":\"https://www.mywebsite.com/argocd/api/dex\",\"name\":\"My Name\",\"sub\":\"ChUxMTABC123zMDUyNjMyNTg4MzYSBmdvb2dsZQ\"}"
time="2022-05-27T19:34:55Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.claims=null grpc.request.content= grpc.service=version.VersionService grpc.start_time="2022-05-27T19:34:55Z" span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2022-05-27T19:34:55Z" grpc.time_ms=12.977 span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.claims=null grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2022-05-27T19:34:55Z" span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="Ignore status for CustomResourceDefinitions"
time="2022-05-27T19:34:55Z" level=info msg="Ignore '/spec/preserveUnknownFields' for CustomResourceDefinitions"
time="2022-05-27T19:34:55Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2022-05-27T19:34:55Z" grpc.time_ms=8.686 span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.claims=null grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2022-05-27T19:34:55Z" span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="Ignore status for CustomResourceDefinitions"
time="2022-05-27T19:34:55Z" level=info msg="Ignore '/spec/preserveUnknownFields' for CustomResourceDefinitions"
time="2022-05-27T19:34:55Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2022-05-27T19:34:55Z" grpc.time_ms=7.476 span.kind=server system=grpc
time="2022-05-27T19:34:55Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = invalid session: oidc: id token issued by a different provider, expected \"https://www.mywebsite.com/argocd/api/dex\" got \"https://www.mywebsite.com/api/dex\"" grpc.code=Unauthenticated grpc.method=List grpc.service=application.ApplicationService grpc.start_time="2022-05-27T19:34:55Z" grpc.time_ms=3.433 span.kind=server system=grpc

argoproj / argo-cd

Dex OIDC tokens are invalid when Argo has a custom rootpath #9533