When we are requesting a bearer token using production credentials. It work with the url for production and development. Is it possible to disable this redirect? So production credentials will only work when using production url and fail when using development url?
Hey @emil.enemaerke ,
Which grant are you using to get the tokens?
And are you referring to using different tenant URLs and still getting tokens with the same credentials?
Regards,
Sidharth
1 Like
I’m referring to using different tenant URLs and still getting a valid token with the same credentials.
We have two tenants:
Production with url prod.example.com
Development with url dev.example.com
A client and API is existing in production but not in development. When requesting a bearer token for the client against prod.example.com it works as expected. When requesting a bearer token from dev.example.com we still get a valid bearer token - not expected. In the audit logs from the two tenants I can see that it is production which is handling the request. That is why I’m guessing that there must be some kind of redirect?
Kind regards
Emil
Hey Emil
To get the tokens using the client credentials grant checks the client ID and secret which is a unique entity and the URL is not validated in this case. If you use custom domains for prod and development them it will fail and not issue the tokens.
That being said since ClientID and Secret are validated, it’s not deemed a security risk to be able to get tokens with Prod and dev URL. Hope this makes sense. Definitely, the improvement is part of the product backlog.
Regards,
Sidharth
1 Like
Thanks for helping on this one Sid!
Hi Sidharth
Something has changed since I raised this ticket. Auth0’s behavior is now as expected and I cannot retrieve a token if I uses the url for the wrong tenant. It is also being logged as a failed request:
The tenant in the URL (production) does not match the tenant from the credentials (development)
The log is found in the tenant where the credentials belongs. From a trouble shooting perspective it would be nice to have it logged in the tenant where the url belongs.
Kind Regards
Emil