Snowflake

Snowflake OAuth Security Integration: External OAuth vs Snowflake OAuth

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Snowflake's OAuth Security Integration lets you authenticate to Snowflake over the OAuth 2.0 protocol without passwords. It comes in two flavors — External OAuth (tokens issued by an external authorization server) and Snowflake OAuth (tokens issued by Snowflake itself) — which you choose between based on your use case.

External OAuth vs Snowflake OAuth Comparison

AspectExternal OAuthSnowflake OAuth
Authorization serverExternal IdP (Azure AD, Okta, Custom)Snowflake itself
TYPE valueEXTERNAL_OAUTHOAUTH
Token issuerExternal authorization serverSnowflake
Token validationPublic key fetched from the JWKS endpoint for verificationVerified internally by Snowflake
User mappingSnowflake user is identified from token claims (upn, email, etc.)Authenticated via Snowflake login credentials
Role controlScopes (sn:role:ROLE_NAME) or ANY_ROLE_MODESession default role
Refresh token managementManaged by the external authorization serverManaged by Snowflake (configurable validity)
Main use casesCustom apps, microservicesBI tools (Tableau, Looker, etc.), Snowsight
Client authenticationclient_id/secret from the external IdPclient_id/secret issued by Snowflake
Multiple integrationsMultiple allowedMultiple allowed

Creating an External OAuth Security Integration

-- Azure AD向けExternal OAuth
CREATE SECURITY INTEGRATION ext_oauth_azure
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = AZURE
  EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/<tenant-id>/'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys'
  EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
  EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE';

-- Okta向けExternal OAuth
CREATE SECURITY INTEGRATION ext_oauth_okta
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = OKTA
  EXTERNAL_OAUTH_ISSUER = 'https://myorg.okta.com/oauth2/default'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://myorg.okta.com/oauth2/default/v1/keys'
  EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
  EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';

-- カスタムOAuth 2.0サーバー向け
CREATE SECURITY INTEGRATION ext_oauth_custom
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = CUSTOM
  EXTERNAL_OAUTH_ISSUER = 'https://auth.example.com'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://auth.example.com/.well-known/jwks.json'
  EXTERNAL_OAUTH_AUDIENCE_LIST = ('snowflake-api')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'email'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL'
  EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';

Creating a Snowflake OAuth Security Integration

-- Tableau Desktop向け(プリセット使用)
CREATE SECURITY INTEGRATION sf_oauth_tableau
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400;

-- カスタムアプリケーション向け(Confidentialクライアント)
CREATE SECURITY INTEGRATION sf_oauth_webapp
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://myapp.example.com/oauth/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

-- SPA/モバイル向け(Publicクライアント)
CREATE SECURITY INTEGRATION sf_oauth_spa
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'PUBLIC'
  OAUTH_REDIRECT_URI = 'https://spa.example.com/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 3600;

Role Mapping for External OAuth

-- スコープベースのロール制御(デフォルト)
-- IdP側のトークンスコープに以下を含める:
--   session:role:ANALYST_ROLE
-- → Snowflakeセッションでは ANALYST_ROLE が使用される

-- ANY_ROLE_MODEの設定変更
ALTER SECURITY INTEGRATION ext_oauth_azure
  SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
-- → ユーザーに付与されている任意のロールを使用可能

-- ENABLE_FOR_PRIVILEGE(ACCOUNTADMINを除外)
ALTER SECURITY INTEGRATION ext_oauth_azure
  SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE_FOR_PRIVILEGE';

OAuth Authentication Flow

With External OAuth, the client application first obtains an access token from the external authorization server, then passes that token to the Snowflake driver's connection parameters. Snowflake verifies the token signature, identifies the user from the claims, and establishes a session.

-- Python Connectorでの接続例(External OAuth)
import snowflake.connector

conn = snowflake.connector.connect(
    account='<account>',
    authenticator='oauth',
    token='<external_oauth_access_token>',
    warehouse='COMPUTE_WH',
    database='ANALYTICS',
    schema='PUBLIC'
)

-- SnowSQL接続例(External OAuth)
-- snowsql -a <account> --authenticator oauth --token <access_token>

Management and Auditing

-- Integration一覧の確認
SHOW SECURITY INTEGRATIONS;

-- Integration詳細(client_idの確認等)
DESCRIBE SECURITY INTEGRATION sf_oauth_webapp;

-- OAuth接続の監査(LOGIN_HISTORY)
SELECT
  user_name,
  client_ip,
  first_authentication_factor,
  second_authentication_factor,
  is_success,
  error_message,
  event_timestamp
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE first_authentication_factor = 'OAUTH_ACCESS_TOKEN'
  AND event_timestamp >= DATEADD(DAY, -7, CURRENT_TIMESTAMP())
ORDER BY event_timestamp DESC;

Check Your Understanding

Security & Governance

問題 1

A custom web application connects to Snowflake using External OAuth (Azure AD). When the user runs USE ROLE DATA_ENGINEER it fails, but the same user can use the DATA_ENGINEER role after signing in to Snowsight with password authentication. What is the most likely cause?

  1. EXTERNAL_OAUTH_ANY_ROLE_MODE on the External OAuth integration is DISABLE, and the token's scope does not include the DATA_ENGINEER role
  2. The DATA_ENGINEER role relies on a feature available only in Enterprise Edition or higher
  3. ENABLED on the External OAuth integration is set to FALSE
  4. The Azure AD token has expired

正解: A

With EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE' (the default), only roles specified in the OAuth token's scope (in the form session:role:ROLE_NAME) can be used. Because DATA_ENGINEER is not in the token's scope, USE ROLE fails. Password authentication does not enforce this restriction, so it works normally. The fix is to add DATA_ENGINEER to the scope on the IdP side, or change ANY_ROLE_MODE to ENABLE.

Frequently Asked Questions

How do refresh tokens differ between External OAuth and Snowflake OAuth?

With Snowflake OAuth, you set OAUTH_ISSUE_REFRESH_TOKENS = TRUE and control the lifetime with OAUTH_REFRESH_TOKEN_VALIDITY; Snowflake itself issues and manages the refresh tokens. With External OAuth, the external authorization server (Azure AD, Okta, etc.) owns the refresh tokens, and Snowflake cannot configure their validity. In External OAuth deployments, token lifetimes are managed entirely on the IdP side.

Should I enable EXTERNAL_OAUTH_ANY_ROLE_MODE for External OAuth?

With EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE' (the default), only roles that match a scope in the external OAuth token (in the form sn:role:ROLE_NAME) can be used. Setting it to ENABLE lets the user assume any role granted to their account. From a security standpoint, keeping it DISABLE and controlling roles via scopes is preferable, but consider ENABLE if you need flexible role switching. ENABLE_FOR_PRIVILEGE offers a middle ground that excludes ACCOUNTADMIN.

What OAUTH_CLIENT presets are available for Snowflake OAuth?

Snowflake provides presets for major BI tools such as TABLEAU_DESKTOP, TABLEAU_SERVER, and LOOKER. Presets automatically configure the redirect URI and client type. Specifying CUSTOM lets you set OAUTH_REDIRECT_URI and OAUTH_CLIENT_TYPE manually for any application. OAUTH_CLIENT_TYPE can be CONFIDENTIAL (server-side apps) or PUBLIC (SPAs and mobile apps), and must be set when OAUTH_CLIENT is CUSTOM.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.