Creating an External OAuth security integration

External OAuth allows you to use an external authorization service to access Snowflake. To implement OAuth for a client application, you must configure the external authorization service as well as Snowflake. During this process, you obtain the client information (client ID, client secret, authorization endpoint, and token endpoint) required to configure the driver.

The following workflow describes the process for creating an External OAuth security integration with Okta.

1. Okta: Create an OAuth client
2. Okta: Create the OAuth authorization server
3. Snowflake: Create External OAuth security integration

Okta: Create an OAuth client

1. Log in to Okta, and navigate to the Admin Console.
2. Navigate to Applications > Applications. Then, click Create App Integration.
3. For Sign-in method, select OIDC.
4. For Application type, select Native Application.
5. Click Next.
6. On the App Integration screen, enter the App integration name, and select the grant types you plan to use.
7. For Sign-in redirect URIs, enter your Snowflake account URL.
   Note: For example, to test, you might use http://localhost.
8. Click Save.
9. From the General tab of your integration, click Edit next to Client Credentials.
10. Select Use Client Authentication.
11. For Client authentication, select Client secret.
12. Click Save.
13. From the General tab of your integration, save the Client ID and Client Secret values.
14. Select the Assignments tab, and assign the current user to the app.

Result: An Okta OAuth client has been created. In addition, you have saved the client ID and client secret which will be needed to configure the driver.

Okta: Create the OAuth authorization server

1. From the Okta Admin Console, navigate to Security > API and click Add Authorization Server.
2. For Audience, enter the Snowflake account URL. Then, click Save.
3. From the Settings tab, copy and save the Issuer value.
4. From the Settings tab, open the Metadata URI and save the following values.
   • JWS keys URL: the value of the jwks_uri parameter
   • Authorization URL: the value of the authorization_endpoint parameter
   • Token URL: the value of the token_endpoint parameter
5. From the Scopes tab, click Add Scope.
6. Enter the Snowflake scope and scope information.
   Note: Snowflake scopes are typically tied to Snowflake roles. For example: session:role:SYSADMIN.
7. Click Save.
8. From the Access Policies tab, click Add New Access Policy.
9. Select The following clients, and add the OAuth client application create in "Okta: Create an OAuth client".
10. Click Create Policy.
11. Click Add Rule, and make selections based on your requirements.

    Note:

    • Client Credentials and Resource Owner Password are required for Snowflake.
    • Authorization Code should be selected if you plan to use the authorization code grant or use the driver Configuration Manager to generate access and refresh tokens.
12. Click Create rule.

Result: An Okta authorization server has been created to use with an External OAuth security integration in Snowflake. In addition, you have recorded the token URI and the authorization URI which are required to configure the driver for some OAuth 2.0 grant types.

Snowflake: Create External OAuth security integration

1. Log in to Snowflake.
2. Open Worksheets or select the schema you are working with.
   Note: Administrators may check to see whether the SYSADMIN role has the required privileges for the warehouse by navigating to Admin > Warehouses > warehouse_name > Edit > Privileges.
3. Run the following command to create the security integration.
   Note: For more details on parameters, refer to CREATE SECURITY INTEGRATION (External OAuth) in the Snowflake documentation.

   create security integration integration_name
       type = external_oauth
       enabled = true
       external_oauth_any_role_mode = 'ENABLE'
       external_oauth_type = okta
       external_oauth_issuer = 'okta_issuer'
       external_oauth_jws_keys_url = 'okta_jws_keys_url'
       external_oauth_audience_list = ('audience_list')
       external_oauth_token_user_mapping_claim = 'sub'
       external_oauth_snowflake_user_mapping_attribute = 'login_name';

   where:

   integration_name

   is the name of the security integration.

   okta_issuer

   is the URL that defines the Okta OAuth 2.0 authorization server. Obtained in Step 3 of "Okta: Create the OAuth authorization server". For example: https://dev-123456.okta.com/oauth2/abcdefg.

   okta_jws_keys_url

   is the Okta URL where public keys may be downloaded to validate an External OAuth access token. Obtained in Step 4 of "Okta: Create the OAuth authorization server". For example: https://dev-123456.okta.com/oauth2/abcdefg/v1/keys.

   audience_list

   is your Snowflake Account URL. For example: https://myorg-account.us-east-1.snowflakecomputing.com.

   external_oauth_token_user_mapping_claim

   specifies a key that indicates the user associated with the access token. Typically, in Okta, the sub key passes the Okta user associated with a given access token.

   external_oauth_snowflake_user_mapping_attribute

   specifies the Snowflake user attribute that should be used to map the access token to a Snowflake user record. In the example, the Snowflake user login_name attribute is being used for this purpose. Therefore, the value of the sub key must match the value of login_name to complete the OAuth flow and grant the client application access to Snowflake resources.

What's next

If you are using the client credentials grant or the authorization code grant, proceed to the corresponding topic for guidance on configuring the driver.

• Authorization code grant
• Client credentials grant

If you are using the access token flow or refresh token grant, see Obtaining access and refresh tokens using the Configuration Manager.