Configure Snowflake OAuth for partner applications

This topic explains how to configure Snowflake OAuth access to Snowflake for supported Snowflake partner applications. This process requires creating an integration, a first-class Snowflake object that defines the interface between Snowflake and a third-party application or service.

Important

When connecting to Snowflake using any third-party application, Snowflake recommends that you verify that the integration flow used by the application meets your internal security requirements. You can contact the partner directly for details on their end-to-end flow used for this feature.

Note

In-session role switching to secondary roles is not supported with Snowflake OAuth.

If this behavior is necessary with your OAuth workflow, use External OAuth instead.

For more information, see Using secondary roles with External OAuth.

Currently, Snowflake OAuth supports the following applications:

Client

Required Client Version

Client Type

Tableau Desktop / Cloud [1]

2019.1 or higher

Public

Looker [2]

6.20 or higher

Alation

See the Alation documentation

ThoughtSpot

See the ThoughtSpot documentation

Collibra

See the Collibra documentation

Configuring a Snowflake OAuth integration

Create an integration using the CREATE SECURITY INTEGRATION command. An integration is a Snowflake object that provides an interface between Snowflake and third-party services, such as a client that supports Snowflake OAuth.

Note

Only account administrators (i.e users with the ACCOUNTADMIN system role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
  <name>
  TYPE = OAUTH
  ENABLED = { TRUE | FALSE }
  OAUTH_CLIENT = <partner_application>
  oauthClientParams
  [ COMMENT = '<string_literal>' ]
Copy

Where:

oauthClientParams

oauthClientParams ::=
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ BLOCKED_ROLES_LIST = ('<role_name>', '<role_name>') ]
Copy

Blocking specific roles from using the integration

The optional BLOCKED_ROLES_LIST parameter allows you to list Snowflake roles that a user cannot explicitly consent to using with the integration.

By default, the ACCOUNTADMIN, SECURITYADMIN, and ORGADMIN roles are included in this list and cannot be removed. If you have a business need to allow users to use Snowflake OAuth with these roles, and your security team allows it, please contact Snowflake Support to request that these roles be allowed for your account.

Controlling the login frequency

When a user has authenticated successfully, the partner application can use the issued refresh token to request new, short-lived access tokens, and not prompt the user to repeat the login process until the refresh token expires. The optional OAUTH_REFRESH_TOKEN_VALIDITY parameter specifies the length of time a refresh token is valid (in seconds). This setting can be used to expire the refresh token periodically, forcing the user to repeat the login process.

The supported minimum, maximum, and default values for the OAUTH_REFRESH_TOKEN_VALIDITY parameter are as follows:

Application

Minimum

Maximum

Default

Tableau Desktop

60 (1 minute)

36000 (10 hours)

36000 (10 hours)

Tableau Cloud

60 (1 minute)

7776000 (90 days)

7776000 (90 days)

If you have a business need to lower the minimum value or raise the maximum value, please contact Snowflake Support to request the change for your account.

Using Client Redirect with Snowflake OAuth for partner applications

Snowflake supports using Client Redirect with Snowflake OAuth for Partner Applications, including using Client Redirect and Snowflake OAuth with supported Snowflake Clients.

For more information, see Redirecting client connections.

Managing network policies

Snowflake supports network policies for Snowflake OAuth. For more information, see Network policies.

Examples

Tableau Desktop

The following example creates a Snowflake OAuth integration with the default settings:

CREATE SECURITY INTEGRATION td_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP;
Copy

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION td_oauth_int1;
Copy

The following example creates a Snowflake OAuth integration with refresh tokens that expire after 10 hours (36000 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION td_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 36000
  BLOCKED_ROLES_LIST = ('SYSADMIN')
  OAUTH_CLIENT = TABLEAU_DESKTOP;
Copy

Tableau Cloud

The following example creates a Snowflake OAuth integration with the default settings:

CREATE SECURITY INTEGRATION ts_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER;
Copy

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION ts_oauth_int1;
Copy

The following example creates a Snowflake OAuth integration with refresh tokens that expire after 1 day (86400 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION ts_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  BLOCKED_ROLES_LIST = ('SYSADMIN');
Copy

Logging in to Snowflake from a partner application

Tableau

Follow the instructions provided by Tableau to connect to Snowflake using Snowflake OAuth.

Looker

Follow the steps provided by Looker to connect to Snowflake using Snowflake OAuth.

Alation

Access the Alation Community and follow the instructions provided by Alation to connect to Snowflake using Snowflake OAuth.

ThoughtSpot

Access the ThoughtSpot documentation and follow the instructions to create a connection to Snowflake, which includes a step on how to configure Snowflake OAuth.

Collibra

Access the Collibra Documentation and follow the instructions provided by Collibra to connect to Snowflake using Snowflake OAuth.

Error codes

See the Error codes for a list of error codes associated with OAuth, as well as errors that are returned in the JSON blob, during the authorization flow, token request or exchange, or when creating a Snowflake session after completing the OAuth flow.