I assume you are already configuring Loki with auth_enabled: true, which enables multi-tenant mode. And you probably already realize that Loki doesn’t actually do authentication (see Authentication | Grafana Loki documentation).
This is what we do in our environment. We have 7 organizations defined in Loki, and we create a set of API users for each of them (depending on use case, these can be for generic use from Grafana, or for log agents from organization AWS accounts). We have Nginx in front of both Loki read path and write path, and authentication happens on the Nginx server in the form of basic auth. And as the API users authenticate successfully the org header is then appended to the request before being forwarded to Loki. On Grafana we have similar set of organizations defined, and each of them has access to only their own organization in Loki through the API user, and with oauth and group mapping authorization is provided to end user. No one except the operators have access to Loki, they must go through Grafana, which enforces oauth + organizational separation.
If you need to provide direct access to Loki to end users as well, you can potentially configure nginx to use oauth (or whatever authentication mechanism you use), and map groups to org id header. I haven’t tried this before, but I think it would work.
I had a similar discussion with someone else a while ago, might be something useful in there as well: Roadmap - Loki in Multi user enviroment - #6 by christinevonschrott1