feat(source-salesforce): persist rotated refresh token (RTR support)

[James Truty (jtruty)]

What

Adds support for Salesforce OAuth Refresh Token Rotation (RTR) to source-salesforce.

Closes #80783

Why

Salesforce is mandating RTR as a security control. With RTR enabled on the connected app, each grant_type=refresh_token exchange returns a new, single-use refresh token and invalidates the previous one. The connector discarded the refresh token in the login response, so once RTR is enabled the next sync authenticates with an invalidated token and Salesforce revokes the grant, breaking the connection until manual re-auth.

How

• Salesforce.login() now captures the refresh token from the token response when one is present.
• A new SourceSalesforce._persist_rotated_refresh_token writes the rotated token back into the connector config and emits a CONNECTOR_CONFIG control message. It runs from the single _get_sf_object chokepoint, so it covers check, discover, and read.
• The connector-sidecar persists CONNECTOR_CONFIG control messages for all three operations, double-gated on the config actually changing, so the rotated token survives across syncs.

This is non-breaking: Salesforce returns a new refresh_token only when rotation is enabled, so for connections without RTR the new path is a strict no-op and behavior is unchanged. No spec change and no new config option.

Testing

poetry run pytest unit_tests/ passes (111 tests). New unit tests cover:

• A rotated refresh token is written to config and emitted as one control message.
• A response without a refresh token (RTR off) is a no-op (regression guard).
• An unchanged refresh token emits no control message (idempotency).

Known limitations

RTR's single-use semantics mean a refresh token can still be lost in two edge cases that are not addressed in connector code:

• Concurrent check and sync on the same source can race two rotations.
• The pre-save "Test connection" cannot persist (no actor id yet).

Both are mitigated by configuring a refresh token rotation grace window on the Salesforce connected app.

[octavia-bot]

Note

📝 PR Converted to Draft

More info...

Thank you for creating this PR. As a policy to protect our engineers' time, Airbyte requires all PRs to be created first in draft status. Your PR has been automatically converted to draft status in respect for this policy.

As soon as your PR is ready for formal review, you can proceed to convert the PR to "ready for review" status by clicking the "Ready for review" button at the bottom of the PR page.

To skip draft status in future PRs, please include [ready] in your PR title or add the skip-draft-status label when creating your PR.

[github-actions]

👋 Welcome to Airbyte!

Thank you for your contribution from jtruty/airbyte! We're excited to have you in the Airbyte community.

If you have any questions, feel free to ask in the PR comments or join our Slack community.

💡 Show Tips and Tricks

PR Slash Commands

As needed or by request, Airbyte Maintainers can execute the following slash commands on your PR:

• /format-fix - Fixes most formatting issues.
• /bump-version - Bumps connector versions.
• /run-connector-tests - Runs connector tests.
• /run-cat-tests - Runs CAT tests.
• /run-regression-tests - Runs regression tests for the modified connector(s).
• /build-connector-images - Builds and publishes a pre-release docker image for the modified connector(s).
• /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
• /ai-review - AI-powered PR review for connector safety and quality gates.
• /ai-docs-review - AI-powered documentation review for PRs with connector changes.
• /ai-create-docs-pr - Creates a documentation PR for connector changes.
• /force-merge reason="<A_GOOD_REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.

Tips for Working with CI

1. Pre-Release Checks. Please pay attention to these, as they contain standard checks on the metadata.yaml file, docs requirements, etc. If you need help resolving a pre-release check, please ask a maintainer.
   • Note: If you are creating a new connector, please be sure to replace the default logo.svg file with a suitable icon.
2. Connector CI Tests. Some failures here may be expected if your tests require credentials. Please review these results to ensure (1) unit tests are passing, if applicable, and (2) integration tests pass to the degree possible and expected.
3. (Optional.) BYO Connector Credentials for tests in your fork. You can optionally set up your fork with BYO credentials for your connector. This can significantly speed up your review, ensuring your changes are fully tested before the maintainers begin their review.

📚 Show Repo Guidance

Helpful Resources

• Maintainers: AI-SDLC Docs (internal link)
• PR Guidelines: Check our guidelines for contributions.
• Breaking Changes Guide: Guide to breaking changes, migration guides, and upgrade deadlines.
• Developing Connectors Locally: Learn how to set up your environment and develop connectors locally.
• If you enable BYO Connector Credentials within your fork, you can view your test results here:
  

📝 Edit this welcome message.