Configure Snowflake OAuth for Partner Applications

This topic explains how to configure OAuth access to Snowflake for supported Snowflake partner applications. This process requires creating an integration, a first-class Snowflake object that defines the interface between Snowflake and a third-party application or service.

Important

When connecting to Snowflake using any third-party application, Snowflake recommends that you verify that the integration flow used by the application meets your internal security requirements. You can contact the partner directly for details on their end-to-end flow used for this feature.

Currently, Snowflake OAuth supports the following applications:

Client	Required Client Version	Client Type
Tableau Desktop / Server / Online	2019.1 or higher	Public
Looker	6.20 or higher
Alation	See the Alation documentation
ThoughtSpot	See the Thoughtspot documentation

Important

Currently, Tableau supports OAuth only when Tableau’s technology can access the public Internet.

Similarly, Looker supports OAuth only when Looker-Hosted Instances can access the public Internet. Note that this limitation does not affect Customer-Hosted Looker implementations (i.e. on-premises implementations).

Therefore, Customers using AWS PrivateLink or Azure Private Link may experience issues if attempting to use OAuth and Tableau or OAuth and Looker with Snowflake. Please contact Tableau or Looker, respectively, for questions or more details.

In this Topic:

Step 1. Configuring an OAuth Integration

Create an integration using the CREATE SECURITY INTEGRATION command. An integration is a Snowflake object that provides an interface between Snowflake and third-party services, such as a client that supports OAuth.

Note

Only account administrators (i.e users with the ACCOUNTADMIN system role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.

CREATE [ OR REPLACE ] SECURITY INTEGRATION [IF NOT EXISTS]
  <name>
  TYPE = OAUTH
  ENABLED = { TRUE | FALSE }
  OAUTH_CLIENT = <partner_application>
  oauthClientParams
  [ COMMENT = '<string_literal>' ]

Where:

oauthClientParams

oauthClientParams ::=
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ BLOCKED_ROLES_LIST = ('<role_name>', '<role_name>') ]

Blocking Specific Roles from Using the Integration

The optional BLOCKED_ROLES_LIST parameter allows you to list Snowflake roles that a user cannot explicitly consent to using with the integration.

By default, the account administrator (i.e users with the ACCOUNTADMIN system role) and security administrator (i.e users with the SECURITYADMIN system role) roles are included in this list and cannot be removed. If you have a business need to allow users to use OAuth with these roles, and your security team is comfortable with allowing it, please contact Snowflake Support to request that these roles be allowed for your account.

Controlling the Login Frequency

When a user has authenticated successfully, the partner application can use the issued refresh token to request new, short-lived access tokens, and not prompt the user to repeat the login process until the refresh token expires. The optional OAUTH_REFRESH_TOKEN_VALIDITY parameter specifies the length of time a refresh token is valid (in seconds). This setting can be used to expire the refresh token periodically, forcing the user to repeat the login process.

The supported minimum, maximum, and default values for the OAUTH_REFRESH_TOKEN_VALIDITY parameter are as follows:

Application	Minimum	Maximum	Default
Tableau Desktop	60 (1 minute)	36000 (10 hours)	36000 (10 hours)
Tableau Server or Tableau Online	60 (1 minute)	7776000 (90 days)	7776000 (90 days)

If you have a business need to lower the minimum value or raise the maximum value, please contact Snowflake Support to request the change for your account.

Using Secondary Roles with Snowflake OAuth Custom Clients

By default, Snowflake activates the default primary role for a user (i.e. the DEFAULT_ROLE user setting) in the session. Snowflake does not activate the default secondary roles for a user (i.e. the DEFAULT_SECONDARY_ROLES user property) in the session.

To activate the default secondary roles for a user in a session, set the OAUTH_USE_SECONDARY_ROLES parameter value to IMPLICIT when creating the security integration (using CREATE SECURITY INTEGRATION) or later (using ALTER SECURITY INTEGRATION).

Using Client Redirect with Snowflake OAuth for Partner Applications

Snowflake supports using Client Redirect with Snowflake OAuth for Partner Applications, including using Client Redirect and OAuth with supported Snowflake Clients.

For more information, see Redirecting Client Connections.

Managing Network Policies

Snowflake supports network policies for OAuth. For more information, see OAuth and Network Policies.

Examples

Tableau Desktop

The following example creates an OAuth integration with the default settings:

CREATE SECURITY INTEGRATION td_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP;

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION td_oauth_int1;

The following example creates an OAuth integration with refresh tokens that expire after 10 hours (36000 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION td_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 36000
  BLOCKED_ROLES_LIST = ('SYSADMIN');

Tableau Server or Tableau Online

The following example creates an OAuth integration with the default settings:

CREATE SECURITY INTEGRATION ts_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER;

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION ts_oauth_int1;

The following example creates an OAuth integration with refresh tokens that expire after 1 day (86400 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION ts_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  BLOCKED_ROLES_LIST = ('SYSADMIN');

Step 2. Logging into Snowflake from a Partner Application

Tableau

Follow the instructions provided by Tableau to connect to Snowflake using Snowflake OAuth.

Important

Currently, Tableau applications can only authorize the default role for a user; or, if a default role is not set, then the PUBLIC role is used as the active role for the session.

Looker

Follow the steps provided by Looker to connect to Snowflake using Snowflake OAuth.

Alation

Access the Alation Community and follow the instructions provided by Alation to connect to Snowflake using Snowflake OAuth.

ThoughtSpot

Access the ThoughtSpot documentation and follow the instructions to create a connection to Snowflake, which includes a step on how to configure Snowflake OAuth.

For additional details in the ThoughSpot documentation, see Configure OAuth for a Snowflake connection.

Managing User Consent

This section describes how to manage delegated authorizations, i.e. user consent given to one or more clients associated with Snowflake integrations.

Display OAuth Consents

List the active delegated authorizations for which you have access privileges, using SHOW DELEGATED AUTHORIZATIONS:

SHOW DELEGATED AUTHORIZATIONS;

+-------------------------------+-----------+-----------+-------------------+--------------------+
| created_on                    | user_name | role_name | integration_name  | integration_status |
|-------------------------------+-----------+-----------+-------------------+--------------------|
| 2018-11-27 07:43:10.914 -0800 | JSMITH    | PUBLIC    | MY_OAUTH_INT      | ENABLED            |
+-------------------------------+-----------+-----------+-------------------+--------------------+

List the active delegated authorizations for a specified user. Users can list their own delegated authorizations; otherwise, this command variant requires the OWNERSHIP privilege on the user.

SHOW DELEGATED AUTHORIZATIONS
    BY USER <username>;

List the active delegated authorizations for a specified integration. This command variant requires the OWNERSHIP privilege on the integration (i.e. the ACCOUNTADMIN role):

SHOW DELEGATED AUTHORIZATIONS
    TO SECURITY INTEGRATION <integration_name>;

Revoke Consent

A user can revoke consent from a specified integration. This has the effect of revoking any access token associated with the integration.

To revoke user consent for a given integration, execute the ALTER USER … REMOVE DELEGATED AUTHORIZATION command.

Note

Only security administrators (i.e. users with the SECURITYADMIN role) or higher can execute this SQL command.

ALTER USER <username> REMOVE DELEGATED AUTHORIZATION
    FROM SECURITY INTEGRATION <integration_name>

Where:

username

Specifies the user whose consent you are revoking.

integration_name

Specifies the integration associated with the access tokens for a specific client.

To revoke user consent associated with a specific role, include the OF ROLE role_name parameter in the statement:

ALTER USER <username> REMOVE DELEGATED AUTHORIZATION
    OF ROLE <role_name>
    FROM SECURITY INTEGRATION <integration_name>

Where:

role_name

Specifies the role associated with the access token.

Any access tokens associated with the role are revoked.

Error Codes

See the OAuth Error Codes for a list of error codes associated with OAuth, as well as errors that are returned in the JSON blob, during the authorization flow, token request or exchange, or when creating a Snowflake session after completing the OAuth flow.