Snowflake OAuth authentication: Change in the network policy used for a request from client to Snowflake (Preview)

Attention

This behavior change is in the 2025_06 bundle.

For the current status of the bundle, refer to Bundle History.

Snowflake OAuth lets you use a network policy to restrict network traffic from the OAuth client and from the user who is authenticating. There can be three different network policies restricting this traffic:

  • A network policy controlling requests from the OAuth client. This network policy is associated with the security integration that allows the client to interact with Snowflake.

  • A network policy controlling requests from the user who is authenticating. This network policy is associated with the user.

  • An account-level network policy that governs when there isn’t an integration-level or user-level network policy.

This behavior change affects which network policy governs a request from the OAuth client to Snowflake. The following diagram highlights the request that is affected by the change:

Snowflake OAuth workflow with highlighted request
Before the change:

The user-level network policy, not the integration-level network policy, governs a request that sends an access token from the OAuth client to Snowflake as the Resource Server.

After the change:

The integration-level network policy, if specified, governs a request that sends an access token from the OAuth client to Snowflake as the Resource Server. If there is no integration-level network policy, the account-level network policy governs.

The network policies that govern other requests to Snowflake have not changed:

  • User authorization and user consent requests sent from the user to Snowflake are still governed by the user-level network policy, if specified.

  • The access token request sent from the OAuth client to Snowflake is still governed by the integration-level network policy, if specified.

Note

When this bundle is enabled, you’ll be able to associate a network policy with an External OAuth security integration. Previously, only a Snowflake OAuth security integration could be associated with a network policy.

Ref: 2094