OAuth support for Snowflake

PreviousConnecting to Snowflake NextIntegrating Snowflake with Azure AD via OAuth

Last updated 4 months ago

Was this helpful?

OAuth support for Snowflake

In addition to the direct access method (using user name and password), Tellius offers OAuth-based authentication to access data from Snowflake.

Once you choose Snowflake as your datasource, you will get the option to choose OAuth-based authentication or a direct way of authentication (using username and password). For direct access method, please refer to page.

According to the Snowflake Enterprise and IT guidelines, commercial service accounts will be decommissioned and flagged as not secure. Tellius recommends following OAuth-based authentication.

Setting up OAuth configuration in Snowflake

If you chose OAuth as the authentication mechanism, then you need to configure OAuth in Snowflake.

Run the following command from the Snowflake database console.

create security integration oauth_tellius
type = oauth
enabled = true
oauth_client = custom
oauth_client_type = 'CONFIDENTIAL'
oauth_redirect_uri = 'https://<Tellius URL>/dataset/wizard/snowflake'  oauth_issue_refresh_tokens = true
oauth_refresh_token_validity = 7776000

Run the following command to obtain Client Secret and Client ID.

select system$show_auth_client_secrets('oauth_tellius')

An output similar to the one shown below will be displayed.

{"OAUTH_CLIENT_SECRET_2":"xxxxxxxxxxxxxxxxxxxxx",
"OAUTH_CLIENT_SECRET":"xxxxxxxxxxxxxxxxxxxxx",
"OAUTH_CLIENT_ID":"xxxxxxxxxxxxxxxxxxxxx"}

Copy the OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID to paste them into the Client Secret and Client ID fields, respectively (from the Tellius interface).

After configuring OAuth in Snowflake, perform the following steps from Tellius:

Switch on the toggle near Use validated datasource connection details to use an already established connection. The other fields would be auto-filled.
If you’re establishing a new connection, then provide the Snowflake URL, user, client ID, client secret, role, and datasource name.
Once you click on Authorize, Tellius sends an authorization request to the Snowflake authorization server, and you will be redirected to the following window:

In addition to requesting a username and password, Snowflake also seeks your consent so that Tellius can access and retrieve your data from Snowflake.
Once you submit your consent, Tellius gets authorized to act on your behalf.
Snowflake server sends an authorization code to Tellius.

Getting access token

Now, Tellius sends the authorization code back to the Snowflake server seeking an access token.
After verifying the authorization code, Snowflake provides an access token to Tellius for retrieving the required datasets.
Tellius sends the access token to the Snowflake resource server.
Snowflake resource server accepts the valid access token and creates a user session for Tellius to access the resources.

Since Tellius is a confidential client, the authorization process is a one-time setup, and it need not be repeated each time Tellius tries to read data from Snowflake.

How to refresh the access token?

The lifetime of each access token is ten minutes, and Tellius automatically renews the token to gain uninterrupted access. The refresh token can be re-authorized once every 90 days. Tellius reminds you of the expiring token with a warning sign next to the datasource name under Data → Connect.