Introduction to OAuth

Snowflake enables OAuth for clients through integrations. An integration is a Snowflake object that provides an interface between Snowflake and third-party services. Administrators configure OAuth using a Security integration, which enables clients that support OAuth to redirect users to an authorization page and generate access tokens (and optionally, refresh tokens) for accessing Snowflake.

Snowflake supports the OAuth 2.0 protocol for authentication and authorization using one of the options below:

The following table compares Snowflake OAuth and External OAuth:

Category

Snowflake OAuth

External OAuth

Modify client application

Required

Required

Client application browser access

Required

Not required

Programmatic clients

Requires a browser

Best fit

Driver property

authenticator = oauth

authenticator = oauth

Security integration syntax

create security integration type = oauth ...

create security integration type = external_oauth

OAuth flow

OAuth 2.0 code grant flow

Any OAuth flow that the client can initiate with the External OAuth server

Auditing OAuth logins

To query login attempts by Snowflake users, Snowflake provides a login history:

When OAuth is used to authenticate (successfully or unsuccessfully), the FIRST_AUTHENTICATION_FACTOR column in the output has the value OAUTH_ACCESS_TOKEN.

Private connectivity

Snowflake supports External OAuth with private connectivity to the Snowflake service.

Snowflake OAuth and Tableau can be used with private connectivity to Snowflake as follows:

Tableau Desktop:

Starting with Tableau 2020.4, Tableau contains an embedded OAuth client that supports connecting to Snowflake with the account URL for private connectivity to the Snowflake service.

After upgrading to Tableau 2020.4, no further configuration is needed; use the corresponding private connectivity URL for either AWS or Azure to connect to Snowflake.

Tableau Cloud:

Starting with Tableau 2020.4, users can optionally configure Tableau Cloud to use the embedded OAuth Client to connect to Snowflake with the account URL for private connectivity to the Snowflake service.

To use this feature, create a new Custom Client security integration and follow the Tableau instructions.

Important

To determine the account URL to use with private connectivity to the Snowflake service, call the SYSTEM$GET_PRIVATELINK_CONFIG function.

Looker:

Currently, combining Snowflake OAuth and Looker requires access to the public Internet. Therefore, you cannot use Snowflake OAuth and Looker with private connectivity to the Snowflake service.

For more information, refer to:

Clients, drivers, and connectors

Supported clients, drivers, and connectors can use OAuth to verify user login credentials.

Note the following:

  • It is necessary to set the authenticator parameter to oauth and the token parameter to the oauth_access_token.

  • When passing the token value as a URL query parameter, it is necessary to URL-encode the oauth_access_token value.

  • When passing the token value to a Properties object (e.g. JDBC Driver), no modifications are necessary.

For more information about connection parameters, refer to the reference documentation for the following clients, drivers, or connectors:

Client Redirect

Snowflake supports using Client Redirect with Snowflake OAuth and External OAuth, including using Client Redirect and OAuth with supported Snowflake Clients.

For more information, refer to Redirecting client connections.

Replication

Snowflake supports replication and failover/failback with both the Snowflake OAuth and External OAuth security integrations from the source account to the target account.

For details, refer to Replication of security integrations & network policies across multiple accounts.