Using OAuth

About OAuth

OAuth eliminates the need to store Snowflake user credentials in Salesforce. See this blog post for more details.

Using this method, a token is issued which allows Salesforce to access Snowflake as a particular user. The user's password does not need to be kept up-to-date, and access can be revoked from the Snowflake side if required.

Increase your Snowflake refresh token validity

By default, OAuth refresh tokens only last 90 days, which means the OAuth connection between Salesforce and Snowflake would need to be manually re-authenticated every 90 days.

To increase this to, for example, 5 years, you must log a ticket with Snowflake support and ask that the maximum OAUTH_REFRESH_TOKEN_VALIDITY for a SECURITY INTEGRATION be raised to 157784630 seconds.

Create a Snowflake Security Integration

To enable connections from Salesforce, a security integration must be created in your Snowflake account, using the ACCOUNTADMIN role:

create security integration SALESFORCE_CONNECT
  type = oauth
  enabled = true
  oauth_client = custom
  oauth_client_type = 'CONFIDENTIAL'
  oauth_redirect_uri = 'https://TBA'
  oauth_issue_refresh_tokens = true
  oauth_refresh_token_validity = 157784630;

select SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('SALESFORCE_CONNECT');

From the output of the second query, take a copy of the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET field values, as these will be required to configure Salesforce.

Create Named Credentials

Back in Salesforce, we need to add Named Credentials for the OAuth Client to communicate with Snowflake. The following values can be used:

  • Label: Enter Snowflake_OAuth
  • Name: Enter Snowflake_OAuth
  • URL: Enter the URL of your Snowflake instance
  • Identity Type: Select "Named Principal"
  • Authentication Protocol: Select "Password Authentication"
  • Username: Enter the Client ID from your Snowflake Security Integration
  • Password: Enter the Client Secret from your Snowflake Security Integration

External Data Source

Create an Auth Provider

Then we add a new Auth Provider: External Data Source When adding the Auth Provider, use the following values:

  • Provider Type: Select SnowflakeOAuth from the drop down list
  • Name: Enter Snowflake
  • URL Suffix: Enter Snowflake_Auth
  • Account Name: Enter the name of the Snowflake account, including the region/cloud name if applicable
  • Client ID: Enter the Client ID from your Snowflake Security Integration
  • OAuth Client Credentials Name: Enter Snowflake_OAuth to match the Named Credentials created above.
  • Redirect URI: Leave blank, we'll update it after creation
  • Execute Registration As: Click the magnifying glass icon and select your own User

External Data Source

After Saving, copy the "Callback URL" value to the clipboard, then click Edit: External Data Source

Then paste the value into the Redirect URI field and Save: External Data Source

Update the Snowflake Security Integration

The Redirect URI must also be set on the Snowflake Security Integration. Go back to your Snowflake query editor and execute the following (after pasting in your Redirect URI):

ALTER SECURITY INTEGRATION SALESFORCE_CONNECT SET
OAUTH_REDIRECT_URI = '<paste your redirect uri value here>'

Update the Snowflake connection Named Credentials to use OAuth

The Named Credentials you just created were to allow Salesforce and Snowflake to exchange token information.

The Omnata setup wizard automatically creates a set of Named Credentials named 'Snowflake', which must be updated to use OAuth instead of the default username/password auth.

Under "Setup", "Named Credentials", edit the named credential "Snowflake"

  • Authentication Protocol: OAuth 2.0
  • Authentication Provider: Choose the SnowflakeOAuth Auth Provider created above

External Data Source

Click Save, and you should be redirected out to Snowflake for authentication.

Once the OAuth flow completes successfully, connections to Snowflake will use OAuth.