We’re developing the SharePoint Connector for Confluence and Jira with Forge and MSAL. Currently, the OAuth2 authorization and token exchange paths in the Forge manifest are fixed to:
/organizations/oauth2/v2.0/authorize
/organizations/oauth2/v2.0/token
This static path prevents guest users from other Microsoft Entra tenants from accessing SharePoint content hosted in the organization’s tenant. This was previously supported in our Connect-based app using a custom MSAL flow.
We’d like to request support for dynamic tenant path configuration in Forge, e.g.:
/{tenant}/oauth2/v2.0/authorize
/{tenant}/oauth2/v2.0/token
We understand that the Forge manifest is statically validated at build time for security reasons, but introducing parameterized paths or runtime tenant aliasing could offer a safe and flexible way to support multi-tenant scenarios without compromising the Forge architecture.
Is this something that could be considered for future Forge updates?
Just added this as a formal feature request. If anyone else is facing similar guest access limitations with Forge OAuth2, feel free to share your use case or upvote.