beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

x-pack/filebeat/input/salesforce: Add optional `token_url` support for JWT Bearer Flow authentication

Open shmsr opened this issue 8 months ago • 3 comments

Proposed commit message

This PR adds optional support for a separate token_url configuration in the Salesforce input's JWT Bearer Flow authentication.

Currently, when using JWT authentication in the Salesforce integration, the url configuration is used for both:

  1. The audience claim (aud) in the JWT
  2. The token endpoint to request the access token from

However, some users have custom Salesforce domains or have disabled logins for the default endpoints (https://login.salesforce.com or https://test.salesforce.com). In these cases, the audience URL and the token endpoint URL need to be different.

The new optional configuration is:

var.authentication:
  jwt_bearer_flow:
    enabled: true
    client.id: "my-client-id"
    client.username: "[email protected]"
    client.key_path: client_key.pem
    url: https://login.salesforce.com           # Audience URL for JWT claim
    token_url: "https://custom-domain.my.salesforce.com"  # Optional: Token endpoint URL**Behavior:**
- If `token_url` is **not provided**: The `url` value is used for both the JWT audience claim and the token endpoint (existing behavior)
- If `token_url` is **provided**: The `url` is used for the JWT audience claim, and `token_url` is used for the token endpoint

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • [x] I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

  • Closes https://github.com/elastic/beats/issues/43963
  • Related https://github.com/elastic/go-sfdc/pull/4

shmsr avatar Apr 15 '25 20:04 shmsr

This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @shmsr? 🙏. For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

mergify[bot] avatar Apr 15 '25 20:04 mergify[bot]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine avatar Dec 08 '25 07:12 elasticmachine

Can someone from @elastic/elastic-agent-data-plane please review this PR?

shmsr avatar Dec 12 '25 11:12 shmsr