listing users via api returns the wrong identity
Hi, when listing users via
Here is the curl:
We are basically requesting
Like I said this is a major issue in our product. We are temporarily disabling access to that account however we do not know how many accounts are affected.
/api/v1/users?user_id=<kp:123>/api/v1/users?user_id=<kp:123> we get a different identity back kp:456kp:456. This is a major issue that's impacting the functionality of our product. Can someone please look into it?Here is the curl:
❯ curl --location 'https://ankor-dev.au.kinde.com/api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1' \
--header 'Authorization: Bearer ***' -v
* Host ankor-dev.au.kinde.com:443 was resolved.
* IPv6: (none)
* IPv4: 54.153.128.229, 13.54.219.39
* Trying 54.153.128.229:443...
* Connected to ankor-dev.au.kinde.com (54.153.128.229) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.kinde.com
* start date: Apr 8 00:00:00 2025 GMT
* expire date: May 8 23:59:59 2026 GMT
* subjectAltName: host "ankor-dev.au.kinde.com" matched cert's "*.au.kinde.com"
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://ankor-dev.au.kinde.com/api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ankor-dev.au.kinde.com]
* [HTTP/2] [1] [:path: /api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [authorization: Bearer ***
> GET /api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1 HTTP/2
> Host: ankor-dev.au.kinde.com
> User-Agent: curl/8.7.1
> Accept: */*
> Authorization: Bearer ***
>
* Request completely sent off
< HTTP/2 200
< date: Wed, 08 Oct 2025 22:13:55 GMT
< content-type: application/json; charset=utf-8
< content-length: 338
< vary: Accept-Encoding
<
* Connection #0 to host ankor-dev.au.kinde.com left intact
{"code": "OK", "users": [{"id": "kp:58930e2164f548c4bc259993d1d300eb", "email": "***", "full_name": "***", "last_name": "***", "created_on": "2024-04-10T07:57:55.035431+00:00", "first_name": "***", "is_suspended": false, "total_sign_ins": 0, "failed_sign_ins": 0}], "message": "Success", "next_token": "***"}% ❯ curl --location 'https://ankor-dev.au.kinde.com/api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1' \
--header 'Authorization: Bearer ***' -v
* Host ankor-dev.au.kinde.com:443 was resolved.
* IPv6: (none)
* IPv4: 54.153.128.229, 13.54.219.39
* Trying 54.153.128.229:443...
* Connected to ankor-dev.au.kinde.com (54.153.128.229) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.kinde.com
* start date: Apr 8 00:00:00 2025 GMT
* expire date: May 8 23:59:59 2026 GMT
* subjectAltName: host "ankor-dev.au.kinde.com" matched cert's "*.au.kinde.com"
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://ankor-dev.au.kinde.com/api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ankor-dev.au.kinde.com]
* [HTTP/2] [1] [:path: /api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [authorization: Bearer ***
> GET /api/v1/users?user_id=kp%3A472264654f30408f8e84c2b0f7347edd&page_size=1 HTTP/2
> Host: ankor-dev.au.kinde.com
> User-Agent: curl/8.7.1
> Accept: */*
> Authorization: Bearer ***
>
* Request completely sent off
< HTTP/2 200
< date: Wed, 08 Oct 2025 22:13:55 GMT
< content-type: application/json; charset=utf-8
< content-length: 338
< vary: Accept-Encoding
<
* Connection #0 to host ankor-dev.au.kinde.com left intact
{"code": "OK", "users": [{"id": "kp:58930e2164f548c4bc259993d1d300eb", "email": "***", "full_name": "***", "last_name": "***", "created_on": "2024-04-10T07:57:55.035431+00:00", "first_name": "***", "is_suspended": false, "total_sign_ins": 0, "failed_sign_ins": 0}], "message": "Success", "next_token": "***"}% We are basically requesting
kp:472264654f30408f8e84c2b0f7347eddkp:472264654f30408f8e84c2b0f7347edd and getting back kp:58930e2164f548c4bc259993d1d300ebkp:58930e2164f548c4bc259993d1d300eb.Like I said this is a major issue in our product. We are temporarily disabling access to that account however we do not know how many accounts are affected.
