Snowflake OAuth overview

Snowflake OAuth uses Snowflake’s built-in OAuth service to provide OAuth-based authentication.

This topic describes Snowflake OAuth and how to use Snowflake as an OAuth resource and authorization server for accessing Snowflake data securely.

Snowflake OAuth uses Snowflake’s built-in OAuth service and supports the following applications:

Snowflake OAuth authorization flow

The OAuth authorization flow is as follows:

Snowflake OAuth workflow
  1. In the client, the user attempts to connect to Snowflake using OAuth.

    The application sends an authorization request to the Snowflake authorization server, which in turn displays an authorization screen that asks the user to authorize access.

  2. The user submits the Snowflake login name and password, and is in turn presented with a consent screen to allow the client access to Snowflake using a specific role in a user session (e.g. SYSADMIN or CUSTOM_ROLE1).

    The user submits consent to use the specific role in a session.

    The Snowflake authorization server sends an authorization code back to the client.

  3. The client sends the authorization code back to the Snowflake authorization server to request an access token and, optionally, a refresh token that allows the client to obtain new access tokens.

    The Snowflake authorization server accepts the authorization code and provides the client with an access token specific to the user resources in the Snowflake resource server. Based on the settings in the authorization request, the authorization server issues a refresh token to obtain new access tokens tied to the specific resource.

  4. The client sends the access token to the Snowflake resource server.

    The resource server recognizes the valid access token and creates a user session with the authorized role. The client now has access to the Snowflake resources limited by the role specified by the access token.

    By default, Snowflake prevents the ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN roles from authenticating. To allow these privileged roles to authenticate, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE.

Access tokens have a short life; typically 10 minutes. When the access token expires, the client can send a refresh token to obtain new access tokens. A refresh token is sent to the Snowflake authorization server to request a new access token each time the current access token expires (Steps 3-6). If the integration is configured to prevent sending refresh tokens, the user must repeat the above steps to re-authorize the client.

Partner applications

To configure support, refer to Configure Snowflake OAuth for partner applications.

To learn about using OAuth without traversing the public Internet, refer to Partner applications.

Custom clients

Snowflake supports custom clients configured by your organization. To configure support, refer to Configure Snowflake OAuth for custom clients.

Network policies

You can integrate a dedicated network policy with Snowflake OAuth only. The External OAuth security integration does not support setting a separate network policy, but you can still use a general network policy that applies to the entire Snowflake account.

The Snowflake OAuth security integration has a network_policy parameter so that the Snowflake OAuth integration can authenticate and authorize users without adding these IP addresses for normal user access.

Setting up a network policy specific to the Snowflake OAuth integration allows the Snowflake OAuth network policy to be distinct from other network policies that may apply to the Snowflake account. Therefore, the Snowflake OAuth network policy allows for the authentication and authorization of users as intended.

A network policy applied to a Snowflake OAuth integration overrides a network policy applied to the entire Snowflake account, but is overridden by a network policy assigned to a user.

Important

If a network policy per user or account is set and you are using a service that runs in a different location (e.g. Microsoft Power BI Service), you will not be able to connect to Snowflake.

After creating the Snowflake OAuth security integration, set the OAuth network policy using this command:

ALTER SECURITY INTEGRATION <oauth_integration> SET NETWORK_POLICY = <oauth_network_policy>;
Copy

To unset the Snowflake OAuth network policy, use this command:

ALTER SECURITY INTEGRATION <oauth_integration> UNSET <oauth_network_policy>;
Copy

Where:

<oauth_integration>

Specifies the name of the Snowflake OAuth security integration.

<oauth_network_policy>

Specifies the Snowflake OAuth network policy in Snowflake.

For more information, refer to Controlling network traffic with network policies and ALTER SECURITY INTEGRATION.

Error codes

Refer to the table below for descriptions of error codes associated with Snowflake OAuth:

Error Code

Error

Description

390302

OAUTH_CONSENT_INVALID

Issue generating or validating consent for a given user.

390303

OAUTH_ACCESS_TOKEN_INVALID

Access token provided used when attempting to create a Snowflake session is expired or invalid.

390304

OAUTH_AUTHORIZE_INVALID_RESPONSE_TYPE

Invalid response_type was provided as a parameter to the authorization endpoint (it should most likely be code).

390305

OAUTH_AUTHORIZE_INVALID_STATE_LENGTH

State parameter provided as a parameter to the authorization endpoint exceeds 2048 characters.

390306

OAUTH_AUTHORIZE_INVALID_CLIENT_ID

Integration associated with a provided client id does not exist.

390307

OAUTH_AUTHORIZE_INVALID_REDIRECT_URI

redirect_uri given as a parameter to the authorization endpoint does not match the redirect_uri of the integration associated with the provided client_id or the redirect_uri is not properly formatted.

390308

OAUTH_AUTHORIZE_INVALID_SCOPE

Either the scope requested is not a valid scope, or the scopes requested cannot fully be granted to the user.

390309

OAUTH_USERNAMES_MISMATCH

The user you were trying to authenticate as differs from the user tied to the access token.

390311

OAUTH_AUTHORIZE_INVALID_CODE_CHALLENGE_PARAMS

Either the code challenge or code challenge method is missing, invalid, or not supported.

Additionally, the following errors are taken from the RFC and are returned in the JSON blob generated during an unsuccessful token request or exchange:

Error

Description

invalid_client

There was a failure relating to client authentication, such as the client being unknown, a client secret mismatch, etc.

invalid_grant

The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

unsupported_grant_type

A grant type was provided that Snowflake currently does not support (“refresh_token” and “authorization_code” are the only two supported grant types at the moment).

invalid_request

The request was malformed or could not be processed.