I noticed a weird case when I was experimenting with getting an access token using the password grant flow.
Basically I setup an application/client to allow the password grant auth flow and I was able to successfully retrieve a token from the token endpoint, https://tenant-one.eu.auth0.com/oauth/token.
However, when I made the exact same request with the same POST body to a different tenant, https://tenant-two.eu.auth0.com/oauth/token, the request succeed as well. It even appears that it does not matter if the tenant in the url exists or not the request will still succeed.
I’m not sure if this functionality works as intended but it seems like the URL for a tenant shouldn’t accept token requests for a client that is registered on a different tenant.
Can I get some clarification on this?