Auth0 not respecting multi-tenancy

Our organisation has two tenants.

• staging-tenant.eu.auth0.com
• prod-tenant.eu.auth0.com

We are using this to run M2M client credential authentication. In each respective tenant, we have created the relevant M2M apps. For this example, app1 exists in staging-tenant.eu@auth0.com.

If I send a token request with the app1 credentials to the prod tenant I get a valid jwt back.

curl --request POST \
  --url https://prod-tenant.eu.auth0.com \
  --header 'content-type: application/json' \
  --data '{"client_id":"APP1_CLIENT_ID","client_secret":"APP1_CLIENT_SECRET","audience":"API_ID","grant_type":"client_credentials"}'

This shouldn’t happen as app1 is only registered and configured in the staging tenant so I would expect the prod tenant to not recognize the app1 client ID and return Unauthorized.

This sounds really strange and I cannot reproduce this issue myself.

You can DM me the name of your two tenants and the client_id you’re using (no need for the client_secret!), and the time you did that request on the PROD tenant, I can then check if that’s really the case (that a proper JWT is returned) in the logs.

As discussed with @MyMirelHub, I wasn’t able to reproduce / see the issue in the logs. Suggested to get in touch with our support.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.