Scenario: Tenant-Isolated Identity and Authorization¶

Goal¶

Document a sample that ties Identity login and authorization to the current tenant using tenant-aware stores, claims, and policies.

Solution: CleanArchitecture.Extensions.Samples.Multitenancy.IdentityPerTenant
Path: samples/CleanArchitecture.Extensions.Samples.Multitenancy.IdentityPerTenant

Reference multitenancy core and AspNetCore; add CleanArchitecture.Extensions.Multitenancy.Identity when the package is available (use a project reference if built in-repo).
Ensure tenant resolution runs before authentication so login attempts already have tenant context (host/route/header providers configured).
Update Identity user and role entities/stores to implement ITenantUser/ITenantRole; scope user queries by tenant ID and namespace roles using the configured prefix pattern.
Register TenantClaimsPrincipalFactory to inject tenant_id, tenant_name, and per-tenant roles/permissions into JWTs or cookies.
Configure TenantPolicyProvider plus authorization handlers (TenantMembershipHandler, TenantPermissionRequirement) and swap existing policy registrations to tenant-aware versions.
Enforce tenant suspension/inactive flags during sign-in (fail fast with the proper error) and ensure issued tokens are invalidated if tenant state changes.
Add integration tests covering successful login within a tenant, rejected login for mismatched tenant, role prefixing behavior, and authorization policies that deny cross-tenant access.
Document how to seed a tenant admin user via provisioning events or startup seeding, and how to rotate keys without breaking tenant isolation.

Authentication only succeeds when the principal’s tenant matches the resolved tenant context.
Authorization policies respect tenant-prefixed roles/permissions.
Token claims include tenant identifiers and are rejected if the tenant is suspended or deleted.