We are developing web applications for our different customers that would be accessible from the Apps menu in Genesys cloud.
We have used the Code Authorization to secure our third party Web site, the problem is that the oauth token cannot be restricted to a specific organization. Indeed, if anyone has a purecloud account, it will be able to generate an oauth token, even if the clientID does not belong to it organization.
I am wondering if I am missing somethinh with the Code Authorization method? And what would be the proper way to secure a static web ressource (we are using Apache/NGINX)?
The ability to authenticate with any org is a standard feature of OAuth. You're not missing anything; it's working as intended. If you want to block access to your app from other orgs, build that logic into your server-side code auth logic to check the user's org and abort the authorization process if their org isn't allowed to access your app.
You can use any of the supported Authorization Types, but they all behave in this manner (except for client credentials, which doesn't apply to your use case of having a human user). The decision of which grant type you use is determined by your architecture.