Snowflake OAuth Overview¶
Snowflake OAuth uses Snowflake’s built-in OAuth service to provide OAuth-based authentication.
This topic describes Snowflake OAuth and how to use Snowflake as an OAuth resource and authorization server for accessing Snowflake data securely.
Snowflake OAuth uses Snowflake’s built-in OAuth service and supports the following applications:
Snowflake OAuth Authorization Flow¶
The OAuth authorization flow is as follows:
In the client, the user attempts to connect to Snowflake using OAuth.
The application sends an authorization request to the Snowflake authorization server, which in turn displays an authorization screen that asks the user to authorize access.
The user submits the Snowflake login name and password, and is in turn presented with a consent screen to allow the client access to Snowflake using a specific role in a user session (e.g. SYSADMIN or CUSTOM_ROLE1).
The user submits consent to use the specific role in a session.
The Snowflake authorization server sends an authorization code back to the client.
The client sends the authorization code back to the Snowflake authorization server to request an access token and, optionally, a refresh token that allows the client to obtain new access tokens.
The Snowflake authorization server accepts the authorization code and provides the client with an access token specific to the user resources in the Snowflake resource server. Based on the settings in the authorization request, the authorization server issues a refresh token to obtain new access tokens tied to the specific resource.
The client sends the access token to the Snowflake resource server.
The resource server recognizes the valid access token and creates a user session with the authorized role. The client now has access to the Snowflake resources limited by the role specified by the access token.
Access tokens have a short life; typically 10 minutes. When the access token expires, the client can send a refresh token to obtain new access tokens. A refresh token is sent to the Snowflake authorization server to request a new access token each time the current access token expires (Steps 3-6). If the integration is configured to prevent sending refresh tokens, the user must repeat the above steps to re-authorize the client.
Partner Applications¶
To configure support, refer to Configure Snowflake OAuth for Partner Applications.
To learn about using OAuth without traversing the public Internet, refer to Partner Applications.
Custom Clients¶
Snowflake supports custom clients configured by your organization. To configure support, refer to Configure Snowflake OAuth for Custom Clients.
Network Policies¶
You can integrate a dedicated network policy with Snowflake OAuth only. The External OAuth security integration does not support setting a separate network policy, but you can still use a general network policy that applies to the entire Snowflake account.
The Snowflake OAuth security integration has a network_policy
parameter so that the Snowflake OAuth integration can authenticate
and authorize users without adding these IP addresses for normal user access.
Setting up a network policy specific to the Snowflake OAuth integration allows the Snowflake OAuth network policy to be distinct from other network policies that may apply to the Snowflake account. Therefore, the Snowflake OAuth network policy allows for the authentication and authorization of users as intended.
A network policy applied to a Snowflake OAuth integration overrides a network policy applied to the entire Snowflake account, but is overridden by a network policy assigned to a user.
Important
If a network policy per user or account is set and you are using a service that runs in a different location (e.g. Microsoft Power BI Service), you will not be able to connect to Snowflake.
After creating the Snowflake OAuth security integration, set the OAuth network policy using this command:
ALTER SECURITY INTEGRATION <oauth_integration> SET NETWORK_POLICY = <oauth_network_policy>;
To unset the Snowflake OAuth network policy, use this command:
ALTER SECURITY INTEGRATION <oauth_integration> UNSET <oauth_network_policy>;
Where:
<oauth_integration>
Specifies the name of the Snowflake OAuth security integration.
<oauth_network_policy>
Specifies the Snowflake OAuth network policy in Snowflake.
For more information, refer to Network Policies and ALTER SECURITY INTEGRATION.
Error Codes¶
Refer to the table below for descriptions of error codes associated with Snowflake OAuth:
Error Code |
Error |
Description |
---|---|---|
390302 |
OAUTH_CONSENT_INVALID |
Issue generating or validating consent for a given user. |
390303 |
OAUTH_ACCESS_TOKEN_INVALID |
Access token provided used when attempting to create a Snowflake session is expired or invalid. |
390304 |
OAUTH_AUTHORIZE_INVALID_RESPONSE_TYPE |
Invalid |
390305 |
OAUTH_AUTHORIZE_INVALID_STATE_LENGTH |
State parameter provided as a parameter to the authorization endpoint exceeds 2048 characters. |
390306 |
OAUTH_AUTHORIZE_INVALID_CLIENT_ID |
Integration associated with a provided client id does not exist. |
390307 |
OAUTH_AUTHORIZE_INVALID_REDIRECT_URI |
|
390308 |
OAUTH_AUTHORIZE_INVALID_SCOPE |
Either the scope requested is not a valid scope, or the scopes requested cannot fully be granted to the user. |
390309 |
OAUTH_USERNAMES_MISMATCH |
The user you were trying to authenticate as differs from the user tied to the access token. |
390311 |
OAUTH_AUTHORIZE_INVALID_CODE_CHALLENGE_PARAMS |
Either the code challenge or code challenge method is missing, invalid, or not supported. |
Additionally, the following errors are taken from the RFC and are returned in the JSON blob generated during an unsuccessful token request or exchange:
Error |
Description |
---|---|
invalid_client |
There was a failure relating to client authentication, such as the client being unknown, a client secret mismatch, etc. |
invalid_grant |
The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. |
unsupported_grant_type |
A grant type was provided that Snowflake currently does not support (“refresh_token” and “authorization_code” are the only two supported grant types at the moment). |
invalid_request |
The request was malformed or could not be processed. |