You’re right, Auth0 doesn’t validate the tenant name in this particular /oauth/token request, and infers the tenant using the clientID specified in the body. Fixing this is in our backlog, but not prioritized at the moment due to lack of security implications and there’s a possibility for the flows of legacy customers to break.
I just want to give anyone a chance to demystify this behavior and any potential security implications.
Our security team has confirmed that the behavior does not have any known security implications. You can safely ignore the behavior, but make sure you always specify the correct tenant names to reduce chances of a migration/breaking change in the future.