Currently the authorization check to ensure a user has access to the tenant they are browsing to only occurs on the /callback endpoint. This check needs to happen on other endpoints as well (except for maybe /login and /logout) to prevent users from accessing data from tenants that are not a member of.