Configure Snowflake OAuth for Partner Applications¶
This topic explains how to configure Snowflake OAuth access to Snowflake for supported Snowflake partner applications. This process requires creating an integration, a first-class Snowflake object that defines the interface between Snowflake and a third-party application or service.
Important
When connecting to Snowflake using any third-party application, Snowflake recommends that you verify that the integration flow used by the application meets your internal security requirements. You can contact the partner directly for details on their end-to-end flow used for this feature.
Note
In-session role switching to secondary roles is not supported with Snowflake OAuth.
If this behavior is necessary with your OAuth workflow, use External OAuth instead.
For more information, see Using Secondary Roles with External OAuth.
Currently, Snowflake OAuth supports the following applications:
Client |
Required Client Version |
Client Type |
|---|---|---|
2019.1 or higher |
Public |
|
6.20 or higher |
||
See the Alation documentation |
||
See the ThoughtSpot documentation |
Important
Currently, Tableau supports OAuth only when Tableau’s technology can access the public Internet.
Similarly, Looker supports OAuth only when Looker-Hosted Instances can access the public Internet. Note that this limitation does not affect customer-hosted Looker implementations (i.e. on-premises implementations).
Therefore, customers using Private Connectivity to the Snowflake Service might experience issues if attempting to use OAuth and Tableau or OAuth and Looker with Snowflake. Please contact Tableau or Looker, respectively, for questions or more details.
In this Topic:
Step 1: Configuring a Snowflake OAuth Integration¶
Create an integration using the CREATE SECURITY INTEGRATION (Snowflake OAuth) command. An integration is a Snowflake object that provides an interface between Snowflake and third-party services, such as a client that supports Snowflake OAuth.
Note
Only account administrators (i.e users with the ACCOUNTADMIN system role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.
CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
<name>
TYPE = OAUTH
ENABLED = { TRUE | FALSE }
OAUTH_CLIENT = <partner_application>
oauthClientParams
[ COMMENT = '<string_literal>' ]
Where:
oauthClientParams
oauthClientParams ::= [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ] [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ] [ BLOCKED_ROLES_LIST = ('<role_name>', '<role_name>') ]
Blocking Specific Roles from Using the Integration¶
The optional BLOCKED_ROLES_LIST parameter allows you to list Snowflake roles that a user cannot explicitly consent to using with the integration.
By default, the account administrator (i.e users with the ACCOUNTADMIN system role) and security administrator (i.e users with the SECURITYADMIN system role) roles are included in this list and cannot be removed. If you have a business need to allow users to use Snowflake OAuth with these roles, and your security team is comfortable with allowing it, please contact Snowflake Support to request that these roles be allowed for your account.
Controlling the Login Frequency¶
When a user has authenticated successfully, the partner application can use the issued refresh token to request new, short-lived access tokens, and not prompt the user to repeat the login process until the refresh token expires. The optional OAUTH_REFRESH_TOKEN_VALIDITY parameter specifies the length of time a refresh token is valid (in seconds). This setting can be used to expire the refresh token periodically, forcing the user to repeat the login process.
The supported minimum, maximum, and default values for the OAUTH_REFRESH_TOKEN_VALIDITY parameter are as follows:
Application |
Minimum |
Maximum |
Default |
|---|---|---|---|
Tableau Desktop |
|
|
|
Tableau Server or Tableau Online |
|
|
|
If you have a business need to lower the minimum value or raise the maximum value, please contact Snowflake Support to request the change for your account.
Using Client Redirect with Snowflake OAuth for Partner Applications¶
Snowflake supports using Client Redirect with Snowflake OAuth for Partner Applications, including using Client Redirect and Snowflake OAuth with supported Snowflake Clients.
For more information, see Redirecting Client Connections.
Managing Network Policies¶
Snowflake supports network policies for Snowflake OAuth. For more information, see OAuth and Network Policies.
Examples¶
Tableau Desktop
The following example creates a Snowflake OAuth integration with the default settings:
CREATE SECURITY INTEGRATION td_oauth_int1 TYPE = OAUTH ENABLED = TRUE OAUTH_CLIENT = TABLEAU_DESKTOP;View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION td_oauth_int1;The following example creates a Snowflake OAuth integration with refresh tokens that expire after 10 hours (36000 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:
CREATE SECURITY INTEGRATION td_oauth_int2 TYPE = OAUTH ENABLED = TRUE OAUTH_REFRESH_TOKEN_VALIDITY = 36000 BLOCKED_ROLES_LIST = ('SYSADMIN') OAUTH_CLIENT = TABLEAU_DESKTOP;
Tableau Server or Tableau Online
The following example creates a Snowflake OAuth integration with the default settings:
CREATE SECURITY INTEGRATION ts_oauth_int1 TYPE = OAUTH ENABLED = TRUE OAUTH_CLIENT = TABLEAU_SERVER;View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION ts_oauth_int1;The following example creates a Snowflake OAuth integration with refresh tokens that expire after 1 day (86400 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:
CREATE SECURITY INTEGRATION ts_oauth_int2 TYPE = OAUTH ENABLED = TRUE OAUTH_CLIENT = TABLEAU_SERVER OAUTH_REFRESH_TOKEN_VALIDITY = 86400 BLOCKED_ROLES_LIST = ('SYSADMIN');
Step 2: Logging into Snowflake from a Partner Application¶
Tableau¶
Follow the instructions provided by Tableau to connect to Snowflake using Snowflake OAuth.
Important
Currently, Tableau applications can only authorize the default role for a user; or, if a default role is not set, then the PUBLIC role is used as the active role for the session.
Alation¶
Access the Alation Community and follow the instructions provided by Alation to connect to Snowflake using Snowflake OAuth.
ThoughtSpot¶
Access the ThoughtSpot documentation and follow the instructions to create a connection to Snowflake, which includes a step on how to configure Snowflake OAuth.
Managing User Consent¶
This section describes how to manage delegated authorizations, i.e. user consent given to one or more clients associated with Snowflake integrations.
Display Snowflake OAuth Consents¶
List the active delegated authorizations for which you have access privileges, using SHOW DELEGATED AUTHORIZATIONS:
SHOW DELEGATED AUTHORIZATIONS;
+-------------------------------+-----------+-----------+-------------------+--------------------+
| created_on | user_name | role_name | integration_name | integration_status |
|-------------------------------+-----------+-----------+-------------------+--------------------|
| 2018-11-27 07:43:10.914 -0800 | JSMITH | PUBLIC | MY_OAUTH_INT | ENABLED |
+-------------------------------+-----------+-----------+-------------------+--------------------+
List the active delegated authorizations for a specified user. Users can list their own delegated authorizations; otherwise, this command variant requires the OWNERSHIP privilege on the user.
SHOW DELEGATED AUTHORIZATIONS
BY USER <username>;
List the active delegated authorizations for a specified integration. This command variant requires the OWNERSHIP privilege on the integration (i.e. the ACCOUNTADMIN role):
SHOW DELEGATED AUTHORIZATIONS
TO SECURITY INTEGRATION <integration_name>;
Revoke Consent¶
A user can revoke consent from a specified integration. This has the effect of revoking any access token associated with the integration.
To revoke user consent for a given integration, execute the ALTER USER … REMOVE DELEGATED AUTHORIZATION command.
Note
Only security administrators (i.e. users with the SECURITYADMIN role) or higher can execute this SQL command.
ALTER USER <username> REMOVE DELEGATED AUTHORIZATION
FROM SECURITY INTEGRATION <integration_name>
Where:
usernameSpecifies the user whose consent you are revoking.
integration_nameSpecifies the integration associated with the access tokens for a specific client.
To revoke user consent associated with a specific role, include the OF ROLE role_name parameter in the statement:
ALTER USER <username> REMOVE DELEGATED AUTHORIZATION
OF ROLE <role_name>
FROM SECURITY INTEGRATION <integration_name>
Where:
role_nameSpecifies the role associated with the access token.
Any access tokens associated with the role are revoked.
Error Codes¶
See the OAuth Error Codes for a list of error codes associated with OAuth, as well as errors that are returned in the JSON blob, during the authorization flow, token request or exchange, or when creating a Snowflake session after completing the OAuth flow.