I’m trying a password owner grant on two different tenants A, and B.
The scope I’m asking for is oauth
However, when I go to A.auth0.com/oauth/token, and try a Resource owner password grant with credentials and the Client from B.auth0.com, a token is granted to me
This doesn’t make sense. Shouldn’t I be refused the token on the grounds that I’m accessing a different tenant?
It’s something that is already being tracked in order to be addressed; although it’s something that is prone to generate confusion and hence should be resolved have in mind that to my knowledge it does not have a real impact because the client application identifier is already unique by itself. In addition the fact that it behaves like that, even if you consider it a bug, means that changing it ends up to be a breaking change so there may be more to it then just a code change.