Writing automated tests, we found an unexpected behavior regarding the URLs to our tenants, or rather the tenant endpoints. We found that the actual URL used to access the token endpoint is not relevant, we would still get a valid access token back, as long as the contents of the request is consistent.
For example, a request for an access token, using client credentials, for our stage environment would be sent to:
https://myapp-stage.eu.auth0.com/oauth/token
Then we would get a valid access token back.
But if we send the same request to
https://myapp-sandbox.eu.auth0.com/oauth/token,
we would expect to get an error, because the clientID and the audience specified in the request do not belong to that tenant.
But we actually get a valid token back. And the token is not for sandbox, it is for stage.
In fact, we found that no matter what URL we use, ending with .eu.auth0.com, the request will be processed and a valid token returned.
This caused some confusion in our teams. I just want to give anyone a chance to demystify this behavior and any potential security implications.
It seems to me there is a single token endpoint and the host header is not validated.