x-pack/filebeat/input/salesforce: Add optional token_url support for JWT Bearer Flow authentication

NOTICE.txt

@@ -13304,11 +13304,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-seccomp-bpf@
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/go-sfdc
-Version: v0.0.0-20241010131323-8e176480d727
+Version: v0.0.0-20251207194532-c5aadd4a4e06
 Licence type (autodetected): MIT
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected]20241010131323-8e176480d727/LICENSE.txt:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected]20251207194532-c5aadd4a4e06/LICENSE.txt:
 
 MIT License
 

changelog/fragments/1765138168-salesforce-jwt-custom-endpoint.yaml

@@ -0,0 +1,50 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user's deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Add optional token_url support for JWT Bearer Flow in Salesforce input.
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+description: |
+  The Salesforce input now supports a separate `token_url` configuration for JWT Bearer Flow
+  authentication. This allows users with custom Salesforce domains or restrictions on default
+  endpoints (login.salesforce.com/test.salesforce.com) to specify a different token endpoint
+  URL while keeping the audience URL separate. If token_url is not provided, the existing
+  behavior of using the audience URL as the token endpoint is maintained.
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/beats/issues/43963

filebeat/docs/modules/salesforce.asciidoc

@@ -118,6 +118,7 @@ Example config:
         client.username: "[email protected]"
         client.key_path: client_key.pem
         url: https://login.salesforce.com
+        token_url: "https://[custom-domain].my.salesforce.com"
       user_password_flow:
         enabled: true
         client.id: "my-client-id"
@@ -168,6 +169,10 @@ Path to the client key file for JWT authentication.
 
 The audience URL for JWT authentication.
 
+*`var.authentication.jwt_bearer_flow.token_url`*::
+
+The Salesforce OAuth token endpoint for JWT authentication. This endpoint is used for JWT Bearer flow and defaults to `var.authentication.jwt_bearer_flow.url` if empty. Only use a custom value if you have a custom domain and don't allow default endpoints such as `https://login.salesforce.com` or `https://test.salesforce.com`.
+
 *`var.authentication.user_password_flow.enabled`*::
 
 Set to true to use user-password authentication.
@@ -236,6 +241,7 @@ Example config:
         client.username: "[email protected]"
         client.key_path: client_key.pem
         url: https://login.salesforce.com
+        token_url: "https://[custom-domain].my.salesforce.com"
       user_password_flow:
         enabled: true
         client.id: "my-client-id"
@@ -286,6 +292,10 @@ Path to the client key file for JWT authentication.
 
 The audience URL for JWT authentication.
 
+*`var.authentication.jwt_bearer_flow.token_url`*::
+
+The Salesforce OAuth token endpoint for JWT authentication. This endpoint is used for JWT Bearer flow and defaults to `var.authentication.jwt_bearer_flow.url` if empty. Only use a custom value if you have a custom domain and don't allow default endpoints such as `https://login.salesforce.com` or `https://test.salesforce.com`.
+
 *`var.authentication.user_password_flow.enabled`*::
 
 Set to true to use user-password authentication.
@@ -354,6 +364,7 @@ Example config:
         client.username: "[email protected]"
         client.key_path: client_key.pem
         url: https://login.salesforce.com
+        token_url: "https://[custom-domain].my.salesforce.com"
       user_password_flow:
         enabled: true
         client.id: "my-client-id"
@@ -400,6 +411,10 @@ Path to the client key file for JWT authentication.
 
 The audience URL for JWT authentication.
 
+*`var.authentication.jwt_bearer_flow.token_url`*::
+
+The Salesforce OAuth token endpoint for JWT authentication. This endpoint is used for JWT Bearer flow and defaults to `var.authentication.jwt_bearer_flow.url` if empty. Only use a custom value if you have a custom domain and don't allow default endpoints such as `https://login.salesforce.com` or `https://test.salesforce.com`.
+
 *`var.authentication.user_password_flow.enabled`*::
 
 Set to true to use user-password authentication.
@@ -457,6 +472,7 @@ Example config:
         client.username: "[email protected]"
         client.key_path: client_key.pem
         url: https://login.salesforce.com
+        token_url: "https://[custom-domain].my.salesforce.com"
       user_password_flow:
         enabled: true
         client.id: "my-client-id"
@@ -504,6 +520,10 @@ Path to the client key file for JWT authentication.
 
 The audience URL for JWT authentication.
 
+*`var.authentication.jwt_bearer_flow.token_url`*::
+
+The Salesforce OAuth token endpoint for JWT authentication. This endpoint is used for JWT Bearer flow and defaults to `var.authentication.jwt_bearer_flow.url` if empty. Only use a custom value if you have a custom domain and don't allow default endpoints such as `https://login.salesforce.com` or `https://test.salesforce.com`.
+
 *`var.authentication.user_password_flow.enabled`*::
 
 Set to true to use user-password authentication.

go.mod

@@ -177,7 +177,7 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.19.0
 	github.com/elastic/go-freelru v0.16.0
 	github.com/elastic/go-quark v0.3.0
-	github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727
+	github.com/elastic/go-sfdc v0.0.0-20251207194532-c5aadd4a4e06
 	github.com/elastic/mito v1.24.0
 	github.com/elastic/mock-es v0.0.0-20250530054253-8c3b6053f9b6
 	github.com/elastic/sarama v1.19.1-0.20250603175145-7672917f26b6

go.sum

@@ -406,8 +406,8 @@ github.com/elastic/go-quark v0.3.0 h1:d4vokx0psEJo+93fnhvWpTJMggPd9rfMJSleoLva4x
 github.com/elastic/go-quark v0.3.0/go.mod h1:bO/XIGZBUJGxyiJ9FTsSYn9YlfOTRJnmOP+iBE2FyjA=
 github.com/elastic/go-seccomp-bpf v1.5.0 h1:gJV+U1iP+YC70ySyGUUNk2YLJW5/IkEw4FZBJfW8ZZY=
 github.com/elastic/go-seccomp-bpf v1.5.0/go.mod h1:umdhQ/3aybliBF2jjiZwS492I/TOKz+ZRvsLT3hVe1o=
-github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727 h1:yuiN60oaQUz2PtNpNhDI2H6zrCdfiiptmNdwV5WUaKA=
-github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727/go.mod h1:sw1pzz4pIqzDQxFWt3dFoG2uIUFAfThxlMfWpjH590E=
+github.com/elastic/go-sfdc v0.0.0-20251207194532-c5aadd4a4e06 h1:TEeq+uvg9+B0f+8JdaqzAdtmhgz9KX/OGtKyQAKA4ac=
+github.com/elastic/go-sfdc v0.0.0-20251207194532-c5aadd4a4e06/go.mod h1:sw1pzz4pIqzDQxFWt3dFoG2uIUFAfThxlMfWpjH590E=
 github.com/elastic/go-structform v0.0.12 h1:HXpzlAKyej8T7LobqKDThUw7BMhwV6Db24VwxNtgxCs=
 github.com/elastic/go-structform v0.0.12/go.mod h1:CZWf9aIRYY5SuKSmOhtXScE5uQiLZNqAFnwKR4OrIM4=
 github.com/elastic/go-sysinfo v1.15.3 h1:W+RnmhKFkqPTCRoFq2VCTmsT4p/fwpo+3gKNQsn1XU0=

x-pack/filebeat/filebeat.reference.yml

@@ -1494,6 +1494,7 @@ filebeat.modules:
 # - enabled: Set to true to enable ingestion of Salesforce module fileset
 # - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s
 # - api_version: API version for Salesforce, version should be greater than 46.0
+# - url: URL for Salesforce instance
 
 # Authentication Configurations:
 # User-Password Authentication:
@@ -1510,6 +1511,7 @@ filebeat.modules:
 # - client.username: Username for JWT authentication
 # - client.key_path: Path to client key for JWT authentication
 # - url: Audience URL for JWT authentication
+# - token_url: Token URL for JWT authentication
 
 # Event Monitoring:
 # - real_time: Set to true to enable real-time logging using object type data collection
@@ -1541,6 +1543,7 @@ filebeat.modules:
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -1567,6 +1570,7 @@ filebeat.modules:
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -1596,6 +1600,7 @@ filebeat.modules:
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -1625,11 +1630,13 @@ filebeat.modules:
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
     var.real_time: true
-    var.real_time_interval: 5m
+    var.real_time_interval: 5m
+
 #----------------------------- Google Santa Module -----------------------------
 - module: santa
   log:

x-pack/filebeat/input/salesforce/config_auth.go

@@ -33,6 +33,7 @@ type JWTBearerFlow struct {
 	Enabled *bool `config:"enabled"`
 
 	URL            string `config:"url"`
+	TokenURL       string `config:"token_url"` // If not provided, the URL will be used by go-sfdc package.
 	ClientID       string `config:"client.id"`
 	ClientUsername string `config:"client.username"`
 	ClientKeyPath  string `config:"client.key_path"`

x-pack/filebeat/input/salesforce/input.go

@@ -465,6 +465,7 @@ func (s *salesforceInput) getSFDCConfig(cfg *config) (*sfdc.Configuration, error
 
 		passCreds := credentials.JwtCredentials{
 			URL:            cfg.Auth.OAuth2.JWTBearerFlow.URL,
+			TokenURL:       cfg.Auth.OAuth2.JWTBearerFlow.TokenURL,
 			ClientId:       cfg.Auth.OAuth2.JWTBearerFlow.ClientID,
 			ClientUsername: cfg.Auth.OAuth2.JWTBearerFlow.ClientUsername,
 			ClientKey:      signKey,

x-pack/filebeat/module/salesforce/_meta/config.yml

@@ -4,6 +4,7 @@
 # - enabled: Set to true to enable ingestion of Salesforce module fileset
 # - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s
 # - api_version: API version for Salesforce, version should be greater than 46.0
+# - url: URL for Salesforce instance
 
 # Authentication Configurations:
 # User-Password Authentication:
@@ -20,6 +21,7 @@
 # - client.username: Username for JWT authentication
 # - client.key_path: Path to client key for JWT authentication
 # - url: Audience URL for JWT authentication
+# - token_url: Token URL for JWT authentication
 
 # Event Monitoring:
 # - real_time: Set to true to enable real-time logging using object type data collection
@@ -51,6 +53,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -77,6 +80,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -106,6 +110,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -135,8 +140,9 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
     var.real_time: true
-    var.real_time_interval: 5m
+    var.real_time_interval: 5m

x-pack/filebeat/modules.d/salesforce.yml.disabled

@@ -7,6 +7,7 @@
 # - enabled: Set to true to enable ingestion of Salesforce module fileset
 # - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s
 # - api_version: API version for Salesforce, version should be greater than 46.0
+# - url: URL for Salesforce instance
 
 # Authentication Configurations:
 # User-Password Authentication:
@@ -23,6 +24,7 @@
 # - client.username: Username for JWT authentication
 # - client.key_path: Path to client key for JWT authentication
 # - url: Audience URL for JWT authentication
+# - token_url: Token URL for JWT authentication
 
 # Event Monitoring:
 # - real_time: Set to true to enable real-time logging using object type data collection
@@ -54,6 +56,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -80,6 +83,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -109,6 +113,7 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
@@ -138,8 +143,9 @@
         client.username: "<YourClientUsernameHere>"
         client.key_path: "<YourClientKeyPathHere>"
         url: "https://login.salesforce.com"
+        # token_url: "<YourTokenURLHere>"
 
     var.url: "https://instance_id.my.salesforce.com"
 
     var.real_time: true
-    var.real_time_interval: 5m
+    var.real_time_interval: 5m