Check app name

backend/src/Squidex.Web/Extensions.cs

@@ -23,8 +23,20 @@ namespace Squidex.Web
             return clientId?.GetClientParts().ClientId;
         }
 
-        public static (string? App, string? ClientId) GetClientParts(this string clientId)
+        public static (string? App, string? ClientId) GetClient(this ClaimsPrincipal principal)
         {
+            var clientId = principal.FindFirst(OpenIdClaims.ClientId)?.Value;
+
+            return clientId.GetClientParts();
+        }
+
+        public static (string? App, string? ClientId) GetClientParts(this string? clientId)
+        {
+            if (clientId == null)
+            {
+                return (null, null);
+            }
+
             var parts = clientId.Split(':', '~');
 
             if (parts.Length == 1)

backend/src/Squidex.Web/Pipeline/AppResolver.cs

@@ -99,7 +99,12 @@ namespace Squidex.Web.Pipeline
 
         private static (string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user)
         {
-            var clientId = user.GetClientId();
+            var (appName, clientId) = user.GetClient();
+
+            if (app.Name != appName)
+            {
+                return (null, null);
+            }
 
             if (clientId != null && app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, out var role))
             {