Currently, if you make an OAuth2 process with a _CLIENTID tied to a sub-tenant, you can go through the whole process by calling the root /authorize and /api/token.
It's only at the end of the /api/token call that you'll get a grant_error (because we try to look for a user in the wrong tenant).
To Reproduce
On a workspace with several tenants:
Use a client from a sub-tenant
Make the OAuth2 process using the routes from the main tenant
Expected behavior
An error shall be shown immediately on /authorize to prevent the user to go through the OAuth2 process.
Describe the bug
Currently, if you make an OAuth2 process with a _CLIENTID tied to a sub-tenant, you can go through the whole process by calling the root
/authorizeand/api/token.It's only at the end of the
/api/tokencall that you'll get agrant_error(because we try to look for a user in the wrong tenant).To Reproduce
On a workspace with several tenants:
Expected behavior
An error shall be shown immediately on
/authorizeto prevent the user to go through the OAuth2 process.Configuration