Snowflake OAuth overview¶
Snowflake OAuth uses Snowflake’s built-in OAuth service to provide OAuth-based authentication.
This topic describes Snowflake OAuth and how to use Snowflake as an OAuth resource and authorization server for accessing Snowflake data securely.
Snowflake OAuth uses Snowflake’s built-in OAuth service and supports the following applications:
Partner applications¶
To configure support, refer to Configure Snowflake OAuth for partner applications.
To learn about using OAuth without traversing the public Internet, refer to Partner applications.
Custom clients¶
Snowflake supports custom clients configured by your organization. To configure support, refer to Configure Snowflake OAuth for custom clients.
Network policies¶
You can integrate a dedicated network policy with Snowflake OAuth only. The External OAuth security integration does not support setting a separate network policy, but you can still use a general network policy that applies to the entire Snowflake account.
The Snowflake OAuth security integration has a network_policy
parameter so that the Snowflake OAuth integration can authenticate
and authorize users without adding these IP addresses for normal user access.
Setting up a network policy specific to the Snowflake OAuth integration allows the Snowflake OAuth network policy to be distinct from other network policies that may apply to the Snowflake account. Therefore, the Snowflake OAuth network policy allows for the authentication and authorization of users as intended.
A network policy applied to a Snowflake OAuth integration overrides a network policy applied to the entire Snowflake account, but is overridden by a network policy assigned to a user.
Important
If a network policy per user or account is set and you are using a service that runs in a different location (e.g. Microsoft Power BI Service), you will not be able to connect to Snowflake.
After creating the Snowflake OAuth security integration, set the OAuth network policy using this command:
ALTER SECURITY INTEGRATION <oauth_integration> SET NETWORK_POLICY = <oauth_network_policy>;
To unset the Snowflake OAuth network policy, use this command:
ALTER SECURITY INTEGRATION <oauth_integration> UNSET <oauth_network_policy>;
Where:
<oauth_integration>
Specifies the name of the Snowflake OAuth security integration.
<oauth_network_policy>
Specifies the Snowflake OAuth network policy in Snowflake.
For more information, refer to Controlling network traffic with network policies and ALTER SECURITY INTEGRATION.
Error codes¶
Refer to the table below for descriptions of error codes associated with Snowflake OAuth:
Error Code |
Error |
Description |
---|---|---|
390302 |
OAUTH_CONSENT_INVALID |
Issue generating or validating consent for a given user. |
390303 |
OAUTH_ACCESS_TOKEN_INVALID |
Access token provided used when attempting to create a Snowflake session is expired or invalid. |
390304 |
OAUTH_AUTHORIZE_INVALID_RESPONSE_TYPE |
Invalid |
390305 |
OAUTH_AUTHORIZE_INVALID_STATE_LENGTH |
State parameter provided as a parameter to the authorization endpoint exceeds 2048 characters. |
390306 |
OAUTH_AUTHORIZE_INVALID_CLIENT_ID |
Integration associated with a provided client id does not exist. |
390307 |
OAUTH_AUTHORIZE_INVALID_REDIRECT_URI |
|
390308 |
OAUTH_AUTHORIZE_INVALID_SCOPE |
Either the scope requested is not a valid scope, or the scopes requested cannot fully be granted to the user. |
390309 |
OAUTH_USERNAMES_MISMATCH |
The user you were trying to authenticate as differs from the user tied to the access token. |
390311 |
OAUTH_AUTHORIZE_INVALID_CODE_CHALLENGE_PARAMS |
Either the code challenge or code challenge method is missing, invalid, or not supported. |
Additionally, the following errors are taken from the RFC and are returned in the JSON blob generated during an unsuccessful token request or exchange:
Error |
Description |
---|---|
invalid_client |
There was a failure relating to client authentication, such as the client being unknown, a client secret mismatch, etc. |
invalid_grant |
The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. |
unsupported_grant_type |
A grant type was provided that Snowflake currently does not support (“refresh_token” and “authorization_code” are the only two supported grant types at the moment). |
invalid_request |
The request was malformed or could not be processed. |