In my company, we have 3 tenants, one for each environment (dev, stage, prod).
The auth URL for the tenants are like https://mycompany-dev.eu.auth0.com, etc.
We just discovered that we can send password grant requests to https://mycompany-prod.eu.auth0.com, with a client ID from the dev tenant. How is this possible??? Shouldn’t Auth0 check that there’s no such client ID in the prod tenant, and reject the request?
Decoding the JWT token, we see that
iss is correctly set to mycompany-dev.eu.auth0.com, so it is issued by the correct tenant. So it is just weird that I can use one tenant’s URL to login with another tenant’s client.
Is this a feature of Auth0? Is this behaviour documented anywhere?