Tenants are not isolated by domain (URL)?

Writing automated tests, we found an unexpected behavior regarding the URLs to our tenants, or rather the tenant endpoints. We found that the actual URL used to access the token endpoint is not relevant, we would still get a valid access token back, as long as the contents of the request is consistent.

For example, a request for an access token, using client credentials, for our stage environment would be sent to:
https://myapp-stage.eu.auth0.com/oauth/token
Then we would get a valid access token back.

But if we send the same request to
https://myapp-sandbox.eu.auth0.com/oauth/token,
we would expect to get an error, because the clientID and the audience specified in the request do not belong to that tenant.
But we actually get a valid token back. And the token is not for sandbox, it is for stage.

In fact, we found that no matter what URL we use, ending with .eu.auth0.com, the request will be processed and a valid token returned.

This caused some confusion in our teams. I just want to give anyone a chance to demystify this behavior and any potential security implications.

It seems to me there is a single token endpoint and the host header is not validated.

You’re right, Auth0 doesn’t validate the tenant name in this particular /oauth/token request, and infers the tenant using the clientID specified in the body. Fixing this is in our backlog, but not prioritized at the moment due to lack of security implications and there’s a possibility for the flows of legacy customers to break.

I just want to give anyone a chance to demystify this behavior and any potential security implications.

Our security team has confirmed that the behavior does not have any known security implications. You can safely ignore the behavior, but make sure you always specify the correct tenant names to reduce chances of a migration/breaking change in the future.

3 Likes

Thanks for the explanation!

/Martin

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.