Auth0 not respecting multi-tenancy

MyMirelHub · March 4, 2020, 4:15pm

Our organisation has two tenants.

staging-tenant.eu.auth0.com
prod-tenant.eu.auth0.com

We are using this to run M2M client credential authentication. In each respective tenant, we have created the relevant M2M apps. For this example, app1 exists in staging-tenant.eu@auth0.com.

If I send a token request with the app1 credentials to the prod tenant I get a valid jwt back.

curl --request POST \
  --url https://prod-tenant.eu.auth0.com \
  --header 'content-type: application/json' \
  --data '{"client_id":"APP1_CLIENT_ID","client_secret":"APP1_CLIENT_SECRET","audience":"API_ID","grant_type":"client_credentials"}'

This shouldn’t happen as app1 is only registered and configured in the staging tenant so I would expect the prod tenant to not recognize the app1 client ID and return Unauthorized.

mathiasconradt · March 6, 2020, 6:27pm

This sounds really strange and I cannot reproduce this issue myself.

You can DM me the name of your two tenants and the client_id you’re using (no need for the client_secret!), and the time you did that request on the PROD tenant, I can then check if that’s really the case (that a proper JWT is returned) in the logs.

mathiasconradt · March 9, 2020, 1:38pm

As discussed with @MyMirelHub, I wasn’t able to reproduce / see the issue in the logs. Suggested to get in touch with our support.

system · March 24, 2020, 1:38pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.