Description
In order to access protected resources from clients at the realm level, an organization member must be able to authenticate to a realm within the scope of an organization. The authentication policies that drive the steps and the credentials used during authentication are based on the policies set at the realm level.
Once authenticated, the client acting on behalf of an organization member should be issued with tokens where the metadata about the organization they belong to should be available as a claim, so that both the client to which a token was issued for - the ID Token in case the oidc scope was requested, and the audience where a token is going to be used as a bearer token - the Access Token, can infer the organization that the subject belongs to as well as make access decisions when accessing their protected resources.
The information about the organization should be communicated to clients via an organization claim as follows:
"organization": [
"<name>": {}
]
Similar to how client roles (e.g.: resource_access) are represented in tokens, organizations are represented as a key/value pair where the key is the organization name and the value a JSON object with additional information that might be eventually mapped into tokens about the access context of a user within an organization. For now, it will always be an empty object.
The organization claim should only be set into tokens when an organization scope is sent along with the authorization request. It should be an optional scope and only added to tokens when requested.