Not sure if this helps, as we don't currently use different tenants at this point in time, but we do for sure enforce sending the tenant id to each call:
When you setup the OpenIdConnectOptions ---
private const string TenantIdParameterName = "tenantId"; ... options.Events.OnRedirectToIdentityProvider = context => { /* Fusion auth has the option for multiple tenants - when multiple tenants enabled, we have to ensure we hit the right one for user auth. */ context.ProtocolMessage.SetParameter(TenantIdParameterName, authSettings.TenantId.ToString()); } options.Events.OnRedirectToIdentityProviderForSignOut = context => { context.ProtocolMessage.ClientId = authSettings.ClientId.ToString(); context.ProtocolMessage.SetParameter(TenantIdParameterName, authSettings.TenantId.ToString()); return Task.CompletedTask; };Not sure if that helps you - you will have to look at the current HttpContext to decide what you want to do.