Introduction to OAuth¶

Snowflake enables OAuth for clients through integrations. An integration is a Snowflake object that provides an interface between Snowflake and third-party services. Administrators configure OAuth using a Security integration, which enables clients that support OAuth to redirect users to an authorization page and generate access tokens (and optionally, refresh tokens) for accessing Snowflake.

Snowflake supports the OAuth 2.0 protocol for authentication and authorization using one of the options below:

The following table compares Snowflake OAuth and External OAuth:

Category	Snowflake OAuth	External OAuth
Modify client application	Required	Required
Client application browser access	Required	Not required
Programmatic clients	Requires a browser	Best fit
Driver property	`authenticator = oauth`	`authenticator = oauth`
Security integration syntax	`create security integration type = oauth ...`	`create security integration type = external_oauth`
OAuth flow	OAuth 2.0 code grant flow	Any OAuth flow that the client can initiate with the External OAuth server

Auditing OAuth logins¶

To query login attempts by Snowflake users, Snowflake provides a login history:

LOGIN_HISTORY , LOGIN_HISTORY_BY_USER (table function)
LOGIN_HISTORY view (view)

When OAuth is used to authenticate (successfully or unsuccessfully), the FIRST_AUTHENTICATION_FACTOR column in the output has the value OAUTH_ACCESS_TOKEN.

Private connectivity¶

Snowflake supports External OAuth with private connectivity to the Snowflake service.

Snowflake OAuth and Tableau can be used with private connectivity to Snowflake as follows:

Tableau Desktop:

Starting with Tableau 2020.4, Tableau contains an embedded OAuth client that supports connecting to Snowflake with the account URL for private connectivity to the Snowflake service.

After upgrading to Tableau 2020.4, no further configuration is needed; use the corresponding private connectivity URL for either AWS or Azure to connect to Snowflake.

Tableau Cloud:

Starting with Tableau 2020.4, users can optionally configure Tableau Cloud to use the embedded OAuth Client to connect to Snowflake with the account URL for private connectivity to the Snowflake service.

To use this feature, create a new Custom Client security integration and follow the Tableau instructions.

Important

To determine the account URL to use with private connectivity to the Snowflake service, call the SYSTEM$GET_PRIVATELINK_CONFIG function.

Looker:

Currently, combining Snowflake OAuth and Looker requires access to the public Internet. Therefore, you cannot use Snowflake OAuth and Looker with private connectivity to the Snowflake service.

For more information, refer to:

Clients, drivers, and connectors¶

Supported clients, drivers, and connectors can use OAuth to verify user login credentials.

Note the following:

It is necessary to set the authenticator parameter to oauth and the token parameter to the oauth_access_token.
When passing the token value as a URL query parameter, it is necessary to URL-encode the oauth_access_token value.
When passing the token value to a Properties object (e.g. JDBC Driver), no modifications are necessary.

For more information about connection parameters, refer to the reference documentation for the following clients, drivers, or connectors:

Client Redirect¶

Snowflake supports using Client Redirect with Snowflake OAuth and External OAuth, including using Client Redirect and OAuth with supported Snowflake Clients.

For more information, refer to Redirecting client connections.

Replication¶

Snowflake supports replication and failover/failback with both the Snowflake OAuth and External OAuth security integrations from the source account to the target account.

For details, refer to Replication of security integrations & network policies across multiple accounts.