Snowflake OAuth authentication: Change in the network policy used for a request from client to Snowflake (Preview)¶

Snowflake OAuth lets you use a network policy to restrict network traffic from the OAuth client and from the user who is authenticating. There can be three different network policies restricting this traffic:

• A network policy controlling requests from the OAuth client. This network policy is associated with the security integration that allows the client to interact with Snowflake.

• A network policy controlling requests from the user who is authenticating. This network policy is associated with the user.

• An account-level network policy that governs when there isn’t an integration-level or user-level network policy.

This behavior change affects which network policy governs a request from the OAuth client to Snowflake. The following diagram highlights the request that is affected by the change:

Before the change:

The user-level network policy, not the integration-level network policy, governs a request that sends an access token from the OAuth client to Snowflake as the Resource Server.

After the change:

The integration-level network policy, if specified, governs a request that sends an access token from the OAuth client to Snowflake as the Resource Server. If there is no integration-level network policy, the account-level network policy governs.

The network policies that govern other requests to Snowflake have not changed:

• User authorization and user consent requests sent from the user to Snowflake are still governed by the user-level network policy, if specified.

• The access token request sent from the OAuth client to Snowflake is still governed by the integration-level network policy, if specified.

Ref: 2094