[9.3](backport #43933) x-pack/filebeat/input/salesforce: Add optional token_url support for JWT Bearer Flow authentication

[mergify]

Proposed commit message

This PR adds optional support for a separate token_url configuration in the Salesforce input's JWT Bearer Flow authentication.

Currently, when using JWT authentication in the Salesforce integration, the url configuration is used for both:

1. The audience claim (aud) in the JWT
2. The token endpoint to request the access token from

However, some users have custom Salesforce domains or have disabled logins for the default endpoints (https://login.salesforce.com or https://test.salesforce.com). In these cases, the audience URL and the token endpoint URL need to be different.

The new optional configuration is:

var.authentication:
  jwt_bearer_flow:
    enabled: true
    client.id: "my-client-id"
    client.username: "my.email@here.com"
    client.key_path: client_key.pem
    url: https://login.salesforce.com           # Audience URL for JWT claim
    token_url: "https://custom-domain.my.salesforce.com"  # Optional: Token endpoint URL**Behavior:**
- If `token_url` is **not provided**: The `url` value is used for both the JWT audience claim and the token endpoint (existing behavior)
- If `token_url` is **provided**: The `url` is used for the JWT audience claim, and `token_url` is used for the token endpoint

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

• Closes x-pack/filebeat/input/salesforce: Add optional support for Token URL for JWT provider #43963
• Related credentials: Add optional token endpoint URL for JWT provider go-sfdc#4

  ---

  This is an automatic backport of pull request x-pack/filebeat/input/salesforce: Add optional token_url support for JWT Bearer Flow authentication #43933 done by Mergify.

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b mergify/bp/9.3/pr-43933 upstream/mergify/bp/9.3/pr-43933
git merge upstream/9.3
git push upstream mergify/bp/9.3/pr-43933

[mergify]

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

[mergify]

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

[mergify]

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

[mergify]

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏

[mergify]

This pull request has not been merged yet. Could you please review and merge it @shmsr? 🙏