Authentication for local applications: Built-in security integration for Snowflake OAuth¶

Benefits of the built-in integration¶

Using the SNOWFLAKE$LOCAL_APPLICATION security integration to authenticate local applications has the following benefits:

• Provides a straightforward authentication method that is an alternative to password authentication, helping you conform to the upcoming Snowflake requirement that human users use multi-factor authentication (MFA) if they authenticate with a password.

• Reduces administrative friction; no initial administrator action is required to use Snowflake OAuth.

• Improves the user experience for developers, especially those using the Snowflake CLI.

• Enables local applications to use OAuth as a singular authentication method, eliminating the need for complex configurations and making the authentication process mostly opaque to the application.

• Supports in-role session switching like other authentication methods. A user-defined Snowflake OAuth security integration doesn’t support in-role session switching.

• Isolates local applications from user credentials. This eliminates long-living credentials on disk, meaning sensitive authentication data, such as passwords or personal access tokens, aren’t persisted in an insecure manner.

Having a built-in security integration doesn’t weaken the security posture of your account, but rather combines an enhanced user experience with the most secure form of local authentication. Creating new sessions within the window of OAuth refresh token validity is equivalent to the existing pattern of using saved user credentials to create new sessions. In addition, administrators retain control over authentication by using authentication policies to dictate which credentials are allowed for users.

Opt out of the change¶

An account administrator can disable the SNOWFLAKE$LOCAL_APPLICATION security integration for an account. This action prevents local applications from using Snowflake OAuth to authenticate unless an administrator creates their own security integration.

To opt out of this change so that security administrators can’t enable the SNOWFLAKE$LOCAL_APPLICATION security integration, run the following commands:

USE ROLE ACCOUNTADMIN;

ALTER ACCOUNT SET DISABLE_SNOWFLAKE_LOCAL_APPLICATION_INTEGRATION = TRUE;

Using the DISABLE_SNOWFLAKE_LOCAL_APPLICATION_INTEGRATION parameter to opt out doesn’t prevent the SNOWFLAKE$LOCAL_APPLICATION integration from being created. The integration will still exist in your account, but its ENABLED property will be FALSE, and a security administrator can’t change the property to TRUE.

The account administrator can set the DISABLE_SNOWFLAKE_LOCAL_APPLICATION_INTEGRATION parameter before the SNOWFLAKE$LOCAL_APPLICATION integration is created in an account so that the integration is never enabled.

If the account administrator doesn’t use the account parameter to opt out, a security administrator can still disable the SNOWFLAKE$LOCAL_APPLICATION integration after it is created. To disable the built-in security integration after it exists in the account, run the following commands:

USE ROLE SECURITYADMIN;

ALTER SECURITY INTEGRATION SNOWFLAKE$LOCAL_APPLICATION SET ENABLED = FALSE;

Ref: 2056