oauth-2.0 asp.net-identity identityserver4 openid claims-based-identity

Multi-organization solution with identityserver4

I've got following setup:

IdentityServer4 using asp.net core identity
Accounts app - where user can edit his account data and users can register
Portal - where users can login and select an organization to which they're connected (same as in azure devops)
API that is used by portal

Does anyone have experience setting up something similar ? My question would be how to authorize the calls at API level to make sure he is only editing entities that belong to his organization.

Thanks !

Solution

One way could be to use a tenant claim within each bearer token, so that when a user changes an organization on the portal (in case one user has access to several orgs), you perform relogin to the chosen tenant, or just request a new access token with a chosen tenant_id inside.

You can use this and this answers for the reference on how to pass a custom parameter (such as tenant id) with your request to Identityserver.