fix(filebeat/entityanalytics): fix Okta OAuth2 token refresh for jwk_pem and jwk_file authentication

[wucm667]

Fixes #50426

Bug

When using Okta OAuth2 authentication with jwk_pem or jwk_file configuration in the entityanalytics provider, token refresh fails because the JWK data is not correctly stored and retrieved during the OAuth2 token source lifecycle.

Root Cause

The oktaTokenSource struct initialization in fetchOktaOauthClient() always writes the JWK data to oktaJWK: o.OktaJWKJSON, which is only valid for the jwk (inline JSON) authentication mode. When using jwk_file or jwk_pem modes, this field remains nil because the JWK data is loaded from a file or PEM-encoded string instead.

During token refresh, the Token() method checks these fields to determine which JWT construction function to call:

• generateJWTFromKeysWithPEM requires oktaJWKPEM
• generateJWTFromKeys requires oktaJWK

Since the PEM/file modes stored their data in the wrong fields (or not at all), the refresh path could not find the correct JWK data and fell back to the wrong JWT generation function, causing authentication failures.

Fix

1. Added oktaJWKPEM field to the oktaTokenSource struct to hold PEM-encoded JWK data.
2. In fetchOktaOauthClient(), now correctly routes JWK data into the appropriate fields based on the configured authentication mode:
   • jwk → oktaJWK (JSON)
   • jwk_file → oktaJWK (file contents)
   • jwk_pem → oktaJWKPEM (PEM string)
3. Updated Token() method to check both oktaJWK and oktaJWKPEM fields and call the correct JWT generation function accordingly.
4. Applied the same fix to the httpjson and CEL input Okta auth configurations for consistency.

Verification

• make test passes for x-pack/filebeat/input/entityanalytics/provider/okta (all 8 tests)
• make test passes for x-pack/filebeat/input/httpjson (22 tests, includes okta auth config)
• make test passes for x-pack/filebeat/input/cel (5 tests, includes okta auth config)
• All three packages have synchronized Okta auth logic changes

[cla-checker-service]

💚 CLA has been signed

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #50429. Mergify cannot evaluate rules on this PR. Once #50429 is merged or closed, Mergify will resume processing this PR. ⚠️

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: ae377757-5af7-4f85-9edc-f0c8882ddf89

📥 Commits

Reviewing files that changed from the base of the PR and between 1a7f63b and 0d5e102.

📒 Files selected for processing (4)

• changelog/fragments/1777549938-fix-okta-oauth2-pem-file-auth-token-refresh.yaml
• x-pack/filebeat/input/cel/config_okta_auth.go
• x-pack/filebeat/input/entityanalytics/provider/okta/oauth2.go
• x-pack/filebeat/input/httpjson/config_okta_auth.go

---

📝 Walkthrough

Walkthrough

This pull request fixes Okta OAuth2 token refresh when using PEM-formatted private keys. Previously, the token source only supported JWK JSON payloads, causing refresh attempts with jwk_pem or jwk_file credentials to fail with "error decoding JWK." The changes add PEM key storage to the oktaTokenSource struct across three input types (CEL, entity analytics, and HTTP JSON), and update the token generation logic to conditionally use generateOktaJWTPEM for PEM keys or generateOktaJWT for JWK JSON, along with a changelog fragment documenting the fix.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #50429. Mergify cannot evaluate rules on this PR. Once #50429 is merged or closed, Mergify will resume processing this PR. ⚠️

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @wucm667? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[botelastic]

This pull request doesn't have a Team:<team> label.