Support for dynamic paths in Forge OAuth2 flows

We’re developing the SharePoint Connector for Confluence and Jira with Forge and MSAL. Currently, the OAuth2 authorization and token exchange paths in the Forge manifest are fixed to:

/organizations/oauth2/v2.0/authorize
/organizations/oauth2/v2.0/token

This static path prevents guest users from other Microsoft Entra tenants from accessing SharePoint content hosted in the organization’s tenant. This was previously supported in our Connect-based app using a custom MSAL flow.

We’d like to request support for dynamic tenant path configuration in Forge, e.g.:

/{tenant}/oauth2/v2.0/authorize
/{tenant}/oauth2/v2.0/token

We understand that the Forge manifest is statically validated at build time for security reasons, but introducing parameterized paths or runtime tenant aliasing could offer a safe and flexible way to support multi-tenant scenarios without compromising the Forge architecture.

Is this something that could be considered for future Forge updates?

Just added this as a formal feature request. If anyone else is facing similar guest access limitations with Forge OAuth2, feel free to share your use case or upvote.

Hi @FrankSchreiber, that is an interesting problem that you are facing and I think what you’re after is an extension to this feature request for dynamic egress permissions. I would recommend that you upvote on that ticket and add a comment regarding your use case (or a link to your feature request).

In the meantime, if this an app is one that you are using internally, a really hacky workaround that I can think of is to host a proxy for the Microsoft OAuth endpoints. The proxy would implement the logic to route to the targeted Microsoft tenant.