I noticed a weird case when I was experimenting with getting an access token using the password grant flow.
Basically I setup an application/client to allow the password grant auth flow and I was able to successfully retrieve a token from the token endpoint, https://tenant-one.eu.auth0.com/oauth/token.
However, when I made the exact same request with the same POST body to a different tenant, https://tenant-two.eu.auth0.com/oauth/token, the request succeed as well. It even appears that it does not matter if the tenant in the url exists or not the request will still succeed.
I’m not sure if this functionality works as intended but it seems like the URL for a tenant shouldn’t accept token requests for a client that is registered on a different tenant.
This is a known issue. It has been reviewed by our Security team and found not to have any security implications.
In the Password Grant flow, the /oauth/token endpoint will determine the client using the client_ID. Note that the host parameter does not play a role in this process. Note also that no cookies are set during calls to /oauth/token in this scenario.
So even when the request is successful, the token issuer is the tenant where the client exists. What is important in this case is the client credentials, and the client will determine the tenant.
In addition, if you change the region in the URL, the request will be unsuccessful.
In conclusion, there is nothing to be concerned about here and in fact the issue can be resolved through the use of a custom domain.