Snowflake's OAuth Security Integration lets you authenticate to Snowflake over the OAuth 2.0 protocol without passwords. It comes in two flavors — External OAuth (tokens issued by an external authorization server) and Snowflake OAuth (tokens issued by Snowflake itself) — which you choose between based on your use case.
| Aspect | External OAuth | Snowflake OAuth |
|---|---|---|
| Authorization server | External IdP (Azure AD, Okta, Custom) | Snowflake itself |
| TYPE value | EXTERNAL_OAUTH | OAUTH |
| Token issuer | External authorization server | Snowflake |
| Token validation | Public key fetched from the JWKS endpoint for verification | Verified internally by Snowflake |
| User mapping | Snowflake user is identified from token claims (upn, email, etc.) | Authenticated via Snowflake login credentials |
| Role control | Scopes (sn:role:ROLE_NAME) or ANY_ROLE_MODE | Session default role |
| Refresh token management | Managed by the external authorization server | Managed by Snowflake (configurable validity) |
| Main use cases | Custom apps, microservices | BI tools (Tableau, Looker, etc.), Snowsight |
| Client authentication | client_id/secret from the external IdP | client_id/secret issued by Snowflake |
| Multiple integrations | Multiple allowed | Multiple allowed |
-- Azure AD向けExternal OAuth
CREATE SECURITY INTEGRATION ext_oauth_azure
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = AZURE
EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/<tenant-id>/'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE';
-- Okta向けExternal OAuth
CREATE SECURITY INTEGRATION ext_oauth_okta
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = OKTA
EXTERNAL_OAUTH_ISSUER = 'https://myorg.okta.com/oauth2/default'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://myorg.okta.com/oauth2/default/v1/keys'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
-- カスタムOAuth 2.0サーバー向け
CREATE SECURITY INTEGRATION ext_oauth_custom
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = CUSTOM
EXTERNAL_OAUTH_ISSUER = 'https://auth.example.com'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://auth.example.com/.well-known/jwks.json'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('snowflake-api')
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'email'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';-- Tableau Desktop向け(プリセット使用)
CREATE SECURITY INTEGRATION sf_oauth_tableau
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = TABLEAU_DESKTOP
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;
-- カスタムアプリケーション向け(Confidentialクライアント)
CREATE SECURITY INTEGRATION sf_oauth_webapp
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://myapp.example.com/oauth/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
-- SPA/モバイル向け(Publicクライアント)
CREATE SECURITY INTEGRATION sf_oauth_spa
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'PUBLIC'
OAUTH_REDIRECT_URI = 'https://spa.example.com/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 3600;-- スコープベースのロール制御(デフォルト)
-- IdP側のトークンスコープに以下を含める:
-- session:role:ANALYST_ROLE
-- → Snowflakeセッションでは ANALYST_ROLE が使用される
-- ANY_ROLE_MODEの設定変更
ALTER SECURITY INTEGRATION ext_oauth_azure
SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
-- → ユーザーに付与されている任意のロールを使用可能
-- ENABLE_FOR_PRIVILEGE(ACCOUNTADMINを除外)
ALTER SECURITY INTEGRATION ext_oauth_azure
SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE_FOR_PRIVILEGE';With External OAuth, the client application first obtains an access token from the external authorization server, then passes that token to the Snowflake driver's connection parameters. Snowflake verifies the token signature, identifies the user from the claims, and establishes a session.
-- Python Connectorでの接続例(External OAuth)
import snowflake.connector
conn = snowflake.connector.connect(
account='<account>',
authenticator='oauth',
token='<external_oauth_access_token>',
warehouse='COMPUTE_WH',
database='ANALYTICS',
schema='PUBLIC'
)
-- SnowSQL接続例(External OAuth)
-- snowsql -a <account> --authenticator oauth --token <access_token>-- Integration一覧の確認
SHOW SECURITY INTEGRATIONS;
-- Integration詳細(client_idの確認等)
DESCRIBE SECURITY INTEGRATION sf_oauth_webapp;
-- OAuth接続の監査(LOGIN_HISTORY)
SELECT
user_name,
client_ip,
first_authentication_factor,
second_authentication_factor,
is_success,
error_message,
event_timestamp
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE first_authentication_factor = 'OAUTH_ACCESS_TOKEN'
AND event_timestamp >= DATEADD(DAY, -7, CURRENT_TIMESTAMP())
ORDER BY event_timestamp DESC;Security & Governance
問題 1
A custom web application connects to Snowflake using External OAuth (Azure AD). When the user runs USE ROLE DATA_ENGINEER it fails, but the same user can use the DATA_ENGINEER role after signing in to Snowsight with password authentication. What is the most likely cause?
正解: A
With EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE' (the default), only roles specified in the OAuth token's scope (in the form session:role:ROLE_NAME) can be used. Because DATA_ENGINEER is not in the token's scope, USE ROLE fails. Password authentication does not enforce this restriction, so it works normally. The fix is to add DATA_ENGINEER to the scope on the IdP side, or change ANY_ROLE_MODE to ENABLE.
How do refresh tokens differ between External OAuth and Snowflake OAuth?
With Snowflake OAuth, you set OAUTH_ISSUE_REFRESH_TOKENS = TRUE and control the lifetime with OAUTH_REFRESH_TOKEN_VALIDITY; Snowflake itself issues and manages the refresh tokens. With External OAuth, the external authorization server (Azure AD, Okta, etc.) owns the refresh tokens, and Snowflake cannot configure their validity. In External OAuth deployments, token lifetimes are managed entirely on the IdP side.
Should I enable EXTERNAL_OAUTH_ANY_ROLE_MODE for External OAuth?
With EXTERNAL_OAUTH_ANY_ROLE_MODE = 'DISABLE' (the default), only roles that match a scope in the external OAuth token (in the form sn:role:ROLE_NAME) can be used. Setting it to ENABLE lets the user assume any role granted to their account. From a security standpoint, keeping it DISABLE and controlling roles via scopes is preferable, but consider ENABLE if you need flexible role switching. ENABLE_FOR_PRIVILEGE offers a middle ground that excludes ACCOUNTADMIN.
What OAUTH_CLIENT presets are available for Snowflake OAuth?
Snowflake provides presets for major BI tools such as TABLEAU_DESKTOP, TABLEAU_SERVER, and LOOKER. Presets automatically configure the redirect URI and client type. Specifying CUSTOM lets you set OAUTH_REDIRECT_URI and OAUTH_CLIENT_TYPE manually for any application. OAUTH_CLIENT_TYPE can be CONFIDENTIAL (server-side apps) or PUBLIC (SPAs and mobile apps), and must be set when OAUTH_CLIENT is CUSTOM.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...