3-legged OAuth 2.0 (3LO) prerequisites for the Snowflake connector in Jitterbit Integration Studio
Introduction
These are the prerequisites for using 3-legged OAuth 2.0 (3LO) with the Snowflake connector. You first create and configure a Snowflake OAuth security integration and then configure an app registration in the Management Console with the security integration.
Note
Agent version 10.83 / 11.21 or later is required to use 3-legged OAuth 2.0 authentication.
Create and configure a Snowflake OAuth security integration
Follow these steps to create and configure a Snowflake OAuth security integration:
-
In the Snowflake interface, navigate to the Snowflake CLI.
-
To create the security integration, run the following command with the
OAUTH_REDIRECT_URI
andOAUTH_CLIENT_RSA_PUBLIC_KEY
parameters modified based on your implementation:CREATE SECURITY INTEGRATION jitterbit_app TYPE = OAUTH ENABLED = TRUE OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' OAUTH_REDIRECT_URI = 'https://apps.<region>.jitterbit.com/design-studio/api/v1/oauth/authcode' OAUTH_ISSUE_REFRESH_TOKENS = TRUE OAUTH_REFRESH_TOKEN_VALIDITY = 86400 BLOCKED_ROLES_LIST = ('SYSADMIN') OAUTH_CLIENT_RSA_PUBLIC_KEY ='ABCjkl123...';
-
Set
OAUTH_REDIRECT_URI
to one of the following URLs (depending on your organization's region):Region URL APAC https://apps.apac-southeast.jitterbit.com/design-studio/api/v1/oauth/authcode
EMEA https://apps.emea-west.jitterbit.com/design-studio/api/v1/oauth/authcode
NA https://apps.na-east.jitterbit.com/design-studio/api/v1/oauth/authcode
-
For information on RSA key-pairs and obtaining a public key, refer to the Snowflake Key-pair authentication and key-pair rotation documentation.
For more information on the
CREATE SECURITY INTEGRATION
command, refer to the Snowflake CREATE SECURITY INTEGRATION (Snowflake OAuth) documentation. -
-
To add the Snowflake roles expected to interact with this integration, run the following command. This example uses
USERADMIN
to configure an app registration in the Management Console:Important
Roles set in the
PRE_AUTHORIZED_ROLES_LIST
must not be in theBLOCKED_ROLES_LIST
defined for the security integration. Roles set in thePRE_AUTHORIZED_ROLES_LIST
must also have sufficient privileges to interact with the necessary databases and schemas for activities to function as expected.alter security integration jitterbit_app set PRE_AUTHORIZED_ROLES_LIST = ('USERADMIN')
For more information on Snowflake roles and access control, refer to the Snowflake Overview of Access Control.
-
To obtain the client ID and client secret required for a valid app registration, run the following command:
select system$show_oauth_client_secrets('jitterbit_app');
-
To obtain the authorization and token request URLs required for a valid app registration, run the following command:
DESCRIBE SECURITY INTEGRATION jitterbit_app;
The
OAUTH_AUTHORIZATION_ENDPOINT
andOAUTH_TOKEN_ENDPOINT
values are the authorization and token request URLs, respectively. You need these values to configure an app registration in the Management Console.
Configure an app registration in the Management Console
Follow these steps to configure required values for a Management Console private application app registration:
-
Gather the required information from the Snowflake OAuth security integration configured above:
-
In the app registration's configuration, enter each role as a scope in code format, for example,
session:role:USERADMIN
. -
Set the app's Authentication URL as
<snowflake_account_url>/oauth/authorize
. This value must match theOAUTH_AUTHORIZATION_ENDPOINT
value. -
Set the app's Access token URL and Refresh token URL as
<snowflake_account_url>/oauth/token-request
. These values must match theOAUTH_TOKEN_ENDPOINT
value.Note
<snowflake_account_url>
must be a valid Snowflake account URL associated with your account. For example,https://example-account123.snowflakecomputing.com
. -
Go to Advanced options.
In the Authentication request tab under Parameters, enter
response_type
as the Key andcode
as the Value. Then select Request URL from the Send in menu.
Once the private application is registered on the App Registrations page, it is available to be selected in the OAuth Application menu in the Snowflake connection.