Auth0 not respecting multi-tenancy

MyMirelHub · March 4, 2020, 4:15pm

Our organisation has two tenants.

staging-tenant.eu.auth0.com
prod-tenant.eu.auth0.com

We are using this to run M2M client credential authentication. In each respective tenant, we have created the relevant M2M apps. For this example, app1 exists in staging-tenant.eu@auth0.com.

If I send a token request with the app1 credentials to the prod tenant I get a valid jwt back.

curl --request POST \
  --url https://prod-tenant.eu.auth0.com \
  --header 'content-type: application/json' \
  --data '{"client_id":"APP1_CLIENT_ID","client_secret":"APP1_CLIENT_SECRET","audience":"API_ID","grant_type":"client_credentials"}'

This shouldn’t happen as app1 is only registered and configured in the staging tenant so I would expect the prod tenant to not recognize the app1 client ID and return Unauthorized.

mathiasconradt · March 6, 2020, 6:27pm

This sounds really strange and I cannot reproduce this issue myself.

You can DM me the name of your two tenants and the client_id you’re using (no need for the client_secret!), and the time you did that request on the PROD tenant, I can then check if that’s really the case (that a proper JWT is returned) in the logs.

mathiasconradt · March 9, 2020, 1:38pm

As discussed with @MyMirelHub, I wasn’t able to reproduce / see the issue in the logs. Suggested to get in touch with our support.

Topic		Replies	Views
Auth0 client can authenticate to another tenant?? Get Help jwt , auth0 , login , access-token	1	4593	June 3, 2020
Multitenant application - identifying the tenant during login Get Help	2	13224	September 6, 2018
Auth0Lock one tenant works other don't Get Help jwt	4	3041	April 10, 2019
API credentials for clients in a multi-tenant setup Get Help multi-tenant , m2m	5	5264	June 28, 2022
Safety of multi-tenant app and authorization Get Help jwt , id_token , multi-tenant	1	3321	August 6, 2019

Auth0 not respecting multi-tenancy

Related topics