[FEATURE] Make security nextUrl comply with workspace

[SuZhou-Joe]

Is your feature request related to a problem?

Since 2.14 we introduced workspace, and when user enter a workspace, the deep link will become like http://localhost:5601${basePath}/w/${workspaceId}/app/workspace_detail. And if user's authentication status expired, security plugin will redirect user to the login page with url like http://localhost:5601${basePath}/app/login?nextUrl=/app/workspace_detail, and the workspaceId info will be erased as in core we rewrite the path to keep existing APIs working.

What solution would you like?

For OSD core, provides a function to handle all kinds of prefix prepending work and for security plugin, use the function provided by core to generate the nextUrl, for example,
http://localhost:5601${basePath}/app/login?nextUrl=/w/${workspaceId}/app/workspace_detail

What alternatives have you considered?
A clear and concise description of any alternative solutions or features you've considered.

Do you have any additional context?
Add any other context or screenshots about the feature request here.

[SuZhou-Joe]

@derek-ho Would you mind taking a look on this issue? Workspace team will do the code change, just want your input on this.

[stephen-crawford]

[Triage] Hi @SuZhou-Joe, thanks for filing this issue. Sounds like @derek-ho is going to take a look at this. Will mark as triaged.

[derek-ho]

@SuZhou-Joe can you provide some more context on what could be the possible values of workspace id? @cwperks recently made a fix in this PR: https://github.com/opensearch-project/security-dashboards-plugin/pull/2048/files which adds some validation on what nextUrl could be, so we would want to double check that

[SuZhou-Joe]

Hi @derek-ho I took a look on the validation and the newly added workspace prefix should be able to pass the validation.

For the id generation logic, you can find that in: https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/src/plugins/workspace/server/utils.ts#L29 .

And possible value for nextUrl will be like http://localhost:5601/app/login?nextUrl=/w/5Z-sM9/app/workspace_detail

[cwperks]

The validation is compatible with these new routes.

There are 2 scenarios that need to be tested on logout to ensure the nextUrl is computed accurately.

1. On autologout at expiry of a session
2. On explicit click of the logout button. <- There is a known issue with this flow that Fix issue setting nextUrl on click of logout button #2040 is seeking to address

For both autologout and explicit logout, it should work across all authentication types.

[SuZhou-Joe]

@cwperks Thanks for pointing out that, but actually the issue should only happens when autologout at expiry of a session as the url in browser side is correct.