diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index c17b2ebc859d2371ee096921a0062084aa87d82d..10d57e441a1dec9ef2ea50b5a29320d885536e38 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -5,6 +5,8 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include InitializesCurrentUserMode
   include Gitlab::Utils::StrongMemoize
 
+  prepend_before_action :set_current_organization
+
   before_action :add_gon_variables
   before_action :verify_confirmed_email!, :verify_admin_allowed!
 
@@ -50,6 +52,8 @@ def pre_auth_params
     # Cannot be achieved with a before_action hook, due to the execution order.
     downgrade_scopes! if action_name == 'new'
 
+    params[:organization_id] = ::Current.organization_id
+
     super
   end
 
@@ -117,6 +121,10 @@ def dangerous_scopes?
       *::Gitlab::Auth::REGISTRY_SCOPES
     ) && !doorkeeper_application&.trusted?
   end
+
+  def set_current_organization
+    ::Current.organization = Gitlab::Current::Organization.new(user: current_user).organization
+  end
 end
 
 Oauth::AuthorizationsController.prepend_mod
diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb
index a4b019df1c615702c1bd65dd3b8f69de349d731f..d391807eec14c672abc80631b6edf09ddddc75e5 100644
--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -2,8 +2,8 @@
 
 require 'spec_helper'
 
-RSpec.describe Oauth::AuthorizationsController do
-  let(:user) { create(:user) }
+RSpec.describe Oauth::AuthorizationsController, :with_current_organization, feature_category: :system_access do
+  let(:user) { create(:user, organizations: [current_organization]) }
   let(:application_scopes) { 'api read_user' }
   let(:confidential) { true }
 
@@ -128,6 +128,10 @@
           expect(response).to render_template('doorkeeper/authorizations/redirect')
         end
 
+        it "creates access grant on the Current.organization" do
+          expect { subject }.to change { OauthAccessGrant.where(organization: current_organization).count }
+        end
+
         context 'when showing applications as provided' do
           let!(:application) do
             create(
@@ -267,6 +271,8 @@
     end
 
     context 'when the user is admin' do
+      let_it_be(:user) { create(:user, :admin, organizations: [current_organization]) }
+
       context 'when disable_admin_oauth_scopes is set' do
         before do
           stub_application_setting(disable_admin_oauth_scopes: true)
@@ -275,8 +281,6 @@
           allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
         end
 
-        let(:user) { create(:user, :admin) }
-
         it 'returns 200 and renders forbidden view' do
           subject
 
@@ -293,7 +297,6 @@
         end
 
         let(:application_scopes) { 'api' }
-        let(:user) { create(:user, :admin) }
 
         it 'returns 200 and renders redirect view' do
           subject
@@ -309,7 +312,6 @@
         end
 
         let(:application_scopes) { 'api' }
-        let(:user) { create(:user, :admin) }
 
         it 'returns 200 and renders new view' do
           subject
diff --git a/spec/features/ide_spec.rb b/spec/features/ide_spec.rb
index c9bd4d8c7c2b9753e4e912921a65e8e68936d692..3d2df0719e25283ef139b9c4cfa8249af8b7906f 100644
--- a/spec/features/ide_spec.rb
+++ b/spec/features/ide_spec.rb
@@ -2,14 +2,14 @@
 
 require 'spec_helper'
 
-RSpec.describe 'IDE', :js, feature_category: :web_ide do
+RSpec.describe 'IDE', :js, :with_current_organization, feature_category: :web_ide do
   include Features::WebIdeSpecHelpers
 
   let_it_be(:ide_iframe_selector) { '#ide iframe' }
   let_it_be(:normal_project) { create(:project, :repository) }
 
   let(:project) { normal_project }
-  let(:user) { create(:user) }
+  let(:user) { create(:user, organizations: [current_organization]) }
 
   before do
     # TODO - We need to be able to handle requests to https://*.cdn.web-ide.gitlab-static.net
diff --git a/spec/features/oauth_provider_authorize_spec.rb b/spec/features/oauth_provider_authorize_spec.rb
index 77cddcfb3df4ab1972c17c03bceca57f9292c2da..1434b3a1e095774cb9ecec03c60323b319322991 100644
--- a/spec/features/oauth_provider_authorize_spec.rb
+++ b/spec/features/oauth_provider_authorize_spec.rb
@@ -2,7 +2,9 @@
 
 require 'spec_helper'
 
-RSpec.describe 'OAuth Provider', feature_category: :system_access do
+RSpec.describe 'OAuth Provider', :with_current_organization, feature_category: :system_access do
+  let_it_be(:user) { create(:admin, organizations: [current_organization]) }
+
   def visit_oauth_authorization_path
     visit oauth_authorization_path(
       client_id: application.uid,
@@ -44,9 +46,8 @@ def visit_oauth_device_authorization_path
   end
 
   context 'when the OAuth application has HTML in the name' do
-    let(:client_name) { '<img src=x onerror=alert(1)>' }
-    let(:application) { create(:oauth_application, name: client_name, scopes: 'read_user') }
-    let(:user) { create(:admin) }
+    let_it_be(:client_name) { '<img src=x onerror=alert(1)>' }
+    let_it_be(:application) { create(:oauth_application, name: client_name, scopes: 'read_user') }
 
     before do
       visit_oauth_authorization_path
@@ -84,7 +85,6 @@ def visit_oauth_device_authorization_path
 
   context 'when brand title has HTML' do
     let(:application) { create(:oauth_application, scopes: 'read_user') }
-    let(:user) { create(:user) }
     let!(:appearance) { create(:appearance, title: '<img src=x onerror=alert(1)>') }
 
     before do
diff --git a/spec/requests/oauth/authorizations_controller_spec.rb b/spec/requests/oauth/authorizations_controller_spec.rb
index 6ef8970a142dab08861d350b688055ef7a71c809..a4333a17dc8914334d928b48c001f65a0ed7ea96 100644
--- a/spec/requests/oauth/authorizations_controller_spec.rb
+++ b/spec/requests/oauth/authorizations_controller_spec.rb
@@ -2,8 +2,8 @@
 
 require 'spec_helper'
 
-RSpec.describe Oauth::AuthorizationsController, feature_category: :system_access do
-  let_it_be(:user) { create(:user) }
+RSpec.describe Oauth::AuthorizationsController, :with_current_organization, feature_category: :system_access do
+  let_it_be(:user) { create(:user, organizations: [current_organization]) }
   let_it_be(:application) { create(:oauth_application, redirect_uri: 'custom://test') }
 
   let(:params) do
diff --git a/spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb b/spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb
index 738d9453f78e76998633efe5fed285a3637ae880..dddda20874592c66171bd058a9d140186e3b04b8 100644
--- a/spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb
+++ b/spec/support/shared_examples/features/secure_oauth_authorizations_shared_examples.rb
@@ -2,7 +2,7 @@
 
 RSpec.shared_examples 'Secure OAuth Authorizations' do
   context 'when user is confirmed' do
-    let(:user) { create(:user) }
+    let_it_be(:user) { create(:user, organizations: [current_organization]) }
 
     it 'asks the user to authorize the application' do
       expect(page).to have_text "#{application.name} is requesting access to your account on"
@@ -10,7 +10,7 @@
   end
 
   context 'when user is unconfirmed' do
-    let(:user) { create(:user, :unconfirmed) }
+    let_it_be(:user) { create(:user, :unconfirmed) }
 
     it 'displays an error' do
       expect(page).to have_text I18n.t('doorkeeper.errors.messages.unconfirmed_email')