Configuring OAuth for Partner Applications

This topic explains how to configure OAuth access to Snowflake for supported Snowflake partner applications. This process requires creating an integration, a first-class Snowflake object that defines the interface between Snowflake and a third-party application or service.

Important

When connecting to Snowflake using any third-party application, Snowflake recommends that you verify that the integration flow used by the application meets your internal security requirements. You can contact the partner directly for details on their end-to-end flow used for this feature.

Currently, Snowflake supports OAuth for the following applications:

Client Required Client Version Client Type
Tableau Desktop / Server / Online 2019.1 or higher Public

In this Topic:

Known Issues

The Snowflake multi-factor authentication (MFA) feature is not supported when federated authentication and OAuth are enabled for a user. As a workaround, disable MFA support in Snowflake for the user and enable it instead with your federated authentication provider.

Step 1. Configuring an OAuth Integration

Create an integration using the CREATE SECURITY INTEGRATION command. An integration is a Snowflake object that provides an interface between Snowflake and third-party services, such as a client that supports OAuth.

Note

Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.

CREATE [ OR REPLACE ] SECURITY INTEGRATION [IF NOT EXISTS]
  <name>
  TYPE = OAUTH
  ENABLED = { TRUE | FALSE }
  OAUTH_CLIENT = <partner_application>
  oauthClientParams
  [ COMMENT = '<string_literal>' ]

Where:

oauthClientParams
oauthClientParams ::=
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ BLOCKED_ROLES_LIST = ('<role_name>', '<role_name>') ]

Blocking Specific Roles from Using the Integration

The optional BLOCKED_ROLES_LIST parameter allows you to list Snowflake roles that a user cannot explicitly consent to using with the integration.

By default, the account administrator (ACCOUNTADMIN) and security administrator (SECURITYADMIN) roles are included in this list and cannot be removed. If you have a business need to allow users to use OAuth with these roles, and your security team is comfortable with allowing it, please contact Snowflake Support to request that these roles be allowed for your account.

Controlling the Login Frequency

When a user has authenticated successfully, the partner application can use the issued refresh token to request new, short-lived access tokens, and not prompt the user to repeat the login process until the refresh token expires. The optional OAUTH_REFRESH_TOKEN_VALIDITY parameter specifies the length of time a refresh token is valid (in seconds). This setting can be used to expire the refresh token periodically, forcing the user to repeat the login process.

The supported minimum, maximum, and default values for the OAUTH_REFRESH_TOKEN_VALIDITY parameter are as follows:

Application Minimum Maximum Default
Tableau Desktop 60 (1 minute) 36000 (10 hours) 36000 (10 hours)
Tableau Server or Tableau Online 60 (1 minute) 7776000 (90 days) 7776000 (90 days)

If you have a business need to lower the minimum value or raise the maximum value, please contact Snowflake Support to request the change for your account.

Examples

Tableau Desktop

The following example creates an OAuth integration with the default settings:

CREATE SECURITY INTEGRATION td_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP;

View the integration settings using DESCRIBE SECURITY INTEGRATION:

DESC SECURITY INTEGRATION td_oauth_int1;

The following example creates an OAuth integration with refresh tokens that expire after 10 hours (36000 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION td_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 36000
  BLOCKED_ROLES_LIST = ('SYSADMIN');
Tableau Server or Tableau Online

The following example creates an OAuth integration with the default settings:

CREATE SECURITY INTEGRATION ts_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER;

View the integration settings using DESCRIBE SECURITY INTEGRATION:

DESC SECURITY INTEGRATION ts_oauth_int1;

The following example creates an OAuth integration with refresh tokens that expire after 1 day (86400 seconds). The integration blocks users from starting a session with SYSADMIN as the active role:

CREATE SECURITY INTEGRATION ts_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  BLOCKED_ROLES_LIST = ('SYSADMIN');

Step 2. Logging into Snowflake from a Partner Application

Tableau

Follow the instructions provided by Tableau to connect to Snowflake using OAuth.

Important

Currently, Tableau applications can only authorize the default role for a user; or, if a default role is not set, then the PUBLIC role is used as the active role for the session.

Integration DDL

To support creating and/or managing integrations and delegated authorizations, Snowflake provides the following set of special DDL commands: