OAuth support for Snowflake

Ramya Priya Updated by Ramya Priya

In addition to the direct access method (using user name and password), Tellius offers OAuth-based authentication to access data from Snowflake.

Once you choose Snowflake as your datasource, you will get the option to choose OAuth-based authentication or a direct way of authentication (using username and password). For direct access method, please refer to this page. 

OAuth-based authentication for Snowflake
According to the Snowflake Enterprise and IT guidelines, commercial service accounts will be decommissioned and flagged as not secure. Tellius recommends following OAuth-based authentication.

Setting up OAuth configuration in Snowflake

If you chose OAuth as the authentication mechanism, then you need to configure OAuth in Snowflake.

  1. Run the following command from the Snowflake database console.
create security integration oauth_tellius
type = oauth
enabled = true
oauth_client = custom
oauth_client_type = 'CONFIDENTIAL'
oauth_redirect_uri = 'https://<Tellius URL>/datasource/snowflake/redirect'  oauth_issue_refresh_tokens = true
oauth_refresh_token_validity = 777600
  1. Run the following command to get Authorization URL and Access Token URL for integration.
describe security integration oauth_tellius;
  1. Once the above commands are executed, you will get an output similar to the table shown below:
property
property_type
property_value
property_default

ENABLED

Boolean

TRUE

FALSE

OAUTH_REDIRECT_URI

String

https://localhost:8080/sso

OAUTH_CLIENT_TYPE

String

CONFIDENTIAL

CONFIDENTIAL

OAUTH_ISSUE_REFRESH_TOKENS

Boolean

TRUE

TRUE

OAUTH_REFRESH_TOKEN_VALIDITY

Integer

864000

7776000

OAUTH_ENFORCE_PKCE

Boolean

FALSE

FALSE

OAUTH_USE_SECONDARY_ROLES

String

NONE

NONE

OAUTH_CLIENT_ID

String

Sf66uk4V+OR3hbZN+Fnr/ayJV+s=

OAUTH_AUTHORIZATION_ENDPOINT

String

https://telliuspartner.snowflakecomputing.com/oauth/authorize

OAUTH_TOKEN_ENDPOINT

String

https://telliuspartner.snowflakecomputing.com/oauth/token-request

OAUTH_ALLOWED_AUTHORIZATION_ENDPOINTS

List

https://telliuspartner.snowflakecomputing.com/oauth/authorize,https://fryefnr-telliuspartner.snowflakecomputing.com/oauth/authorize

[]

OAUTH_ALLOWED_TOKEN_ENDPOINTS

List

https://telliuspartner.snowflakecomputing.com/oauth/token-request,https://fryefnr-telliuspartner.snowflakecomputing.com/oauth/token-request

[]

  1. Run the following command to obtain Client Secret and Client ID.
select system$show_auth_client_secrets('oauth_tellius')
  1. An output similar to the one shown below will be displayed.
{"OAUTH_CLIENT_SECRET_2":"xxxxxxxxxxxxxxxxxxxxx",
"OAUTH_CLIENT_SECRET":"xxxxxxxxxxxxxxxxxxxxx",
"OAUTH_CLIENT_ID":"xxxxxxxxxxxxxxxxxxxxx"}
  1. Copy the OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID to paste them into the Client Secret and Client ID fields, respectively (from the Tellius interface). 
OAuth-based authentication for Snowflake

After configuring OAuth in Snowflake, perform the following steps from Tellius:

  1. Switch on the toggle near Use validated datasource connection details to use an already established connection. The other fields would be auto-filled.
  2. If you’re establishing a new connection, then provide the Snowflake URL, user, client ID, client secret, role, and datasource name.
  3. Once you click on Authorize, Tellius sends an authorization request to the Snowflake authorization server, and you will be redirected to the following window:
Redirection to Snowflake site
  1. In addition to requesting a username and password, Snowflake also seeks your consent so that Tellius can access and retrieve your data from Snowflake.
  2. Once you submit your consent, Tellius gets authorized to act on your behalf.
  3. Snowflake server sends an authorization code to Tellius.

Getting access token

  1. Now, Tellius sends the authorization code back to the Snowflake server seeking an access token.
  2. After verifying the authorization code, Snowflake provides an access token to Tellius for retrieving the required datasets.
  3. Tellius sends the access token to the Snowflake resource server.
  4. Snowflake resource server accepts the valid access token and creates a user session for Tellius to access the resources.

Since Tellius is a confidential client, the authorization process is a one-time setup, and it need not be repeated each time Tellius tries to read data from Snowflake. 

How to refresh the access token?

The lifetime of each access token is ten minutes, and Tellius automatically renews the token to gain uninterrupted access. The refresh token can be re-authorized once every 90 days. Tellius reminds you of the expiring token with a warning sign next to the datasource name under Data → Connect.

Reminder to re-authorize the refresh token

For more information, please refer to this official Snowflake document.

Did we help you?

Snowflake Best Practices

Contact