/oauth/token Issues Token despite Prefixing Path with Arbitrary String

Overview

If a request is made to https://<mytenant>.auth0.com/<randomstring>/oauth/token, the request is still successful.

This article explains this behavior.

Applies To

  • Tokens
  • Requests

Solution

This is expected behavior and has been kept for historical reasons. This behavior can be ignored entirely, as there is no security impact, and all the same protection mechanisms apply.