Let’s say a user can be associated with multiple tenants. Somewhere, in your backend , you have that relationship defined (e.g. “User A” has access to “Tenant 1”, “Tenant 2”, and “Tenant 3”).
If you were to have a multi tenant application in the pre-OAuth2 world, in each backend access you would ensure that the “User A” can only access those tenants that he is part of.
Now, bringing OAuth2 and its delegated authorization idea, a user gives an application consent to access their resources (i.e. “Tenant 1”, “Tenant 2”, and “Tenant 3”). Let’s start with a all-powerful token that a first-party application might get. That token would allow the application to do anything the user can do. The user would be able to choose which tenant they want to work with (like the Auth0 dashboard, for instance).
In the API, you would have some way of expressing which tenant you want to access. That could be a subdomain, a part of the path, a parameter, or a header, but this is ultimately irrelevant. Some examples:
GET https://tenant1.acme.com/api/messages
GET https://acme.com/api/tenant1/messages
GET https://acme.com/api/messages?tenant=tenant1
Where to put the tenant is ultimately irrelevant, but in every case the API would verify that the access token is valid, get the user ID (the “subject”) from the token and move on to the “business” authorization phase: is the user authorized to access the tenant? This validation is independent of OAuth2 (which gives an application the ability to do something on behalf of the user): is a validation of policies for what the user can do.
Now, if you deal with third-party apps, you might want to restrict the capabilities of the token. One way of doing so could be with general scopes (e.g. read-only access, or a subset of capabilities).
But you might also want to restrict the tenant that the token has access to. So you could have an additional scope representing the tenant for which the user allowed access to the application: e.g. tenant:all-tenants
(not really all, but all the tenants of the user), and tenant:tenant-1
, tenant:tenant-2
and so on.
Now, on the authorization logic of the API, after the token validation, you would also check which tenant the token is allowed to access. But, as always, after that you will need to ensure that the user (still) has access to the tenant (and thus deny access if the user removed from the tenant at a moments notice).
Not sure if I answered your question