Background
A client has a number of EXB (1.14) and WAB Dev Edition apps, which have been deployed to the same IIS web server that hosts the Portal Web Adaptor for ArcGIS Enterprise 10.9.1. Relevant deployment instructions have been followed, and the apps function as expected. The apps use secured services, so users have to sign in to the client's Portal to use them.
While users are signed into Portal, they're able to launch WAB apps in a new tab without being prompted to sign in, but when they launch EXB apps in a new tab they are getting prompted to sign in. The client would like to maintain the WAB behaviour, as the EXB behaviour is causing friction for users (the client wants to eventually transition all WAB apps to EXB).
I wasn't able to find a working solution after reviewing documentation and community posts, so I did some digging. When oberving HTTP traffic while lauching a WAB app (while being signed in to Portal), WAB is passing client ID 'arcgisonline' to the oauth2/platformSelf endpoint, which responds with a token. When launching an EXB app (again while signed in to Portal), the client ID that's configured in config.json is instead passed to oauth2/platformSelf, resulting in an invalid client ID error, which then triggers EXB to display a login prompt (worh noting that the client ID is valid - the issue is that the esri_aopc cookie is only valid for the arcgisonline client ID).
Question
Based on the above findings, I updated the config.json for one of the EXB apps to be 'arcgisonline' and observed that I was able to launch EXB apps (while signed in to Portal) without being prompted to sign in.
I'm interested in hearing what ramifications, if any, there may be to setting the client ID to arcgisonline like this (as this isn't documented publically the risk would be Esri changing how this works in later updates). Has anyone else done this? Is there an alternative workaround that I should look at instead? Keen to hear your thoughts.
