https://localhost:3001 no longer supported with ArcGIS Online

1191
8
12-03-2021 10:41 AM
PeterKnoop
Regular Contributor

It seems that ArcGIS Online no longer permits you to use "localhost" as an Allowed Origin for CORS. So you cannot set https://localhost:3001 as an Allowed Origin, as required by Experience Builder.

The instructions in ArcGIS Experience Builder install, therefore, no longer work. When you get to Step #8 under "Create Client ID using ArcGIS Online or ArcGIS Enterprise", you cannot get past the error message, "Your application domain is not allowed via Cross-Origin Resource Sharing (CORS)..."

PeterKnoop_0-1638556430205.png

Instead of localhost, one has to set the fully-qualified domain name of their computer (e.g., http://mycomputer.mydomain:3001) as an Allowed Origin on your ArcGIS Online instance, and use it in place of https://localhost:3001 everywhere in the Experience Builder instructions.

Do the instructions need updating, or is there an easy way around this that I am missing?

 

 

 

0 Kudos
8 Replies
RobertScheitlin__GISP
MVP Esteemed Contributor

@PeterKnoop 

I personally never use localhost as a url in any development. You can ignore the .mydomain portion most likely (depending on a couple of factors, like is it required for you ssl certificate when using https). Just use your windows device name in place of localhost. If you are not sure what that is. In Windows 10 search for "This PC" right click and choose properties and it is listed as Device name.

0 Kudos
PeterKnoop
Regular Contributor

@RobertScheitlin__GISP The problem is that ArcGIS Online now expects a domain name for Allowed Origins: "Valid servers must at minimum consist of a domain name. They may also include a protocol (http:// or https://) if you wish to target a specific protocol. Valid servers may also include the port if needed. Servers must also conform to standard naming conventions for domain names." So a Device name will not work either.

0 Kudos
RobertScheitlin__GISP
MVP Esteemed Contributor

@PeterKnoop 

Sorry I have to disagree. I have EB working just fine using my device name in the redirect on AGOL.

0 Kudos
PeterKnoop
Regular Contributor

@RobertScheitlin__GISP Interesting... did you perhaps configure your setup awhile ago?

The current version of ArcGIS Online (9.3) no longer allows you to enter an Allowed Origin that only consists of a device name. It has to be a domain name or a fully-qualified machine name.

We did have localhost as an Allowed Origin in the past, when it was permitted by ArcGIS Online. It remained in our Allowed Origins list, even after ArcGIS Online changed the rules on what was allowed. After removing it from the list of Allowed Origins, however, the current version of ArcGIS Online no longer allows one to add it back.

0 Kudos
RobertScheitlin__GISP
MVP Esteemed Contributor

@PeterKnoop,

Strange. based on what you said I just tried to do the 

"Create Client ID using ArcGIS Online" steps from the EB install-guide and it still worked using https protocol and my machine name and port 3001...

Are you choosing "Other Application" as the application type when adding the new item in AGOL?

0 Kudos
PeterKnoop
Regular Contributor

@RobertScheitlin__GISP I think you may be looking at something different than what I am referring to?

Are you referring to the specifying the application's Redirect URI, in step #6 of the documentation for Create Client ID using ArcGIS Online or ArcGIS Enterprise? There are no validation rules on that field that prevent you from using localhost or your device name.

What you register as an app's Redirect URI, however, also has to be covered by an Allowed Origin on your ArcGIS Online instance. Otherwise, you will get the CORS error I noted above, in step #8, when you start the Experience Builder server on your local machine.

It is the Allowed Origin setting that is the issue. In ArcGIS Online, under Organization --> Settings --> Security --> Allowed origins, you can no longer add a domain that is just a machine name or localhost, such as what the documentation for Experience Builder suggests using, https://localhost:3001.

0 Kudos
RobertScheitlin__GISP
MVP Esteemed Contributor

@PeterKnoop 

What you register as an app's Redirect URI, however, also has to be covered by an Allowed Origin on your ArcGIS Online instance. Otherwise, you will get the CORS error I noted above, in step #8, when you start the Experience Builder server on your local machine.

I have never messed with the Allowed Origins setting in AGOL and I have been using EB Developer since the beginning and even have EB deployed to my web server without issue.

0 Kudos
PeterKnoop
Regular Contributor

Thanks @RobertScheitlin__GISP . If you are not specifying any Allowed Origins for your ArcGIS Online instance, then it will accept CORS requests from any domain. Our local security guidelines, however, require us to use ArcGIS Online's Allowed Origins settings to lock-down CORS to only permitted domains. So now that localhost is no longer supported as option by ArcGIS Online, it would seem that adding a note to the instructions would hopefully help others running into this issue.