Skip to content

Comments

[9.2](backport #43933) x-pack/filebeat/input/salesforce: Add optional token_url support for JWT Bearer Flow authentication#48470

Open
mergify[bot] wants to merge 8 commits into9.2from
mergify/bp/9.2/pr-43933
Open

[9.2](backport #43933) x-pack/filebeat/input/salesforce: Add optional token_url support for JWT Bearer Flow authentication#48470
mergify[bot] wants to merge 8 commits into9.2from
mergify/bp/9.2/pr-43933

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Jan 19, 2026

Proposed commit message

This PR adds optional support for a separate token_url configuration in the Salesforce input's JWT Bearer Flow authentication.

Currently, when using JWT authentication in the Salesforce integration, the url configuration is used for both:

  1. The audience claim (aud) in the JWT
  2. The token endpoint to request the access token from

However, some users have custom Salesforce domains or have disabled logins for the default endpoints (https://login.salesforce.com or https://test.salesforce.com). In these cases, the audience URL and the token endpoint URL need to be different.

The new optional configuration is:

var.authentication:
  jwt_bearer_flow:
    enabled: true
    client.id: "my-client-id"
    client.username: "my.email@here.com"
    client.key_path: client_key.pem
    url: https://login.salesforce.com           # Audience URL for JWT claim
    token_url: "https://custom-domain.my.salesforce.com"  # Optional: Token endpoint URL**Behavior:**
- If `token_url` is **not provided**: The `url` value is used for both the JWT audience claim and the token endpoint (existing behavior)
- If `token_url` is **provided**: The `url` is used for the JWT audience claim, and `token_url` is used for the token endpoint

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

@shmsr @mergify
x-pack/filebeat/input/salesforce: Add optional token_url support fo…
5ec402c 
…r JWT Bearer Flow authentication (#43933)

(cherry picked from commit 00e189e)

# Conflicts:
#	go.mod
@mergify mergify bot added backport conflicts There is a conflict in the backported pull request labels Jan 19, 2026
@mergify mergify bot requested review from a team as code owners January 19, 2026 18:47
@mergify mergify bot requested review from andrzej-stencel and leehinman and removed request for a team January 19, 2026 18:47
@mergify mergify bot assigned shmsr Jan 19, 2026
@mergify
Copy link
Contributor Author

mergify bot commented Jan 19, 2026

Cherry-pick of 00e189e has failed:

On branch mergify/bp/9.2/pr-43933
Your branch is up to date with 'origin/9.2'.

You are currently cherry-picking commit 00e189e56.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE.txt
	new file:   changelog/fragments/1765138168-salesforce-jwt-custom-endpoint.yaml
	modified:   filebeat/docs/modules/salesforce.asciidoc
	modified:   go.sum
	modified:   x-pack/filebeat/filebeat.reference.yml
	modified:   x-pack/filebeat/input/salesforce/config_auth.go
	modified:   x-pack/filebeat/input/salesforce/config_auth_test.go
	modified:   x-pack/filebeat/input/salesforce/input.go
	modified:   x-pack/filebeat/input/salesforce/input_test.go
	modified:   x-pack/filebeat/module/salesforce/_meta/config.yml
	modified:   x-pack/filebeat/modules.d/salesforce.yml.disabled

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 19, 2026
@mergify mergify bot mentioned this pull request Jan 19, 2026
Merged
6 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Jan 19, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@github-actions github-actions bot added Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team labels Jan 19, 2026
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 19, 2026

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 19, 2026
@mergify
Copy link
Contributor Author

mergify bot commented Jan 24, 2026

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b mergify/bp/9.2/pr-43933 upstream/mergify/bp/9.2/pr-43933
git merge upstream/9.2
git push upstream mergify/bp/9.2/pr-43933

@mergify
Copy link
Contributor Author

mergify bot commented Jan 26, 2026

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

@shmsr
Merge branch '9.2' into mergify/bp/9.2/pr-43933
070b916 
Resolve merge conflicts:
- go.mod: Keep newer go-sfdc for token_url feature, keep mito v1.22.1 from 9.2
- go.sum: Update mito checksum to v1.22.1
- NOTICE.txt: Update mito version reference to v1.22.1
@mergify
Copy link
Contributor Author

mergify bot commented Feb 2, 2026

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

@shmsr shmsr enabled auto-merge (squash) February 5, 2026 11:57
@mergify
Copy link
Contributor Author

mergify bot commented Feb 9, 2026

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

@mergify
Copy link
Contributor Author

mergify bot commented Feb 16, 2026

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

@mergify
Copy link
Contributor Author

mergify bot commented Feb 23, 2026

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shmsr shmsr shmsr approved these changes

@andrzej-stencel andrzej-stencel andrzej-stencel approved these changes

@leehinman leehinman Awaiting requested review from leehinman leehinman is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@shmsr shmsr

Labels

backport conflicts There is a conflict in the backported pull request Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elasticmachine @shmsr @andrzej-stencel