Skip to Content

3-legged OAuth 2.0 (3LO) prerequisites for the Snowflake connector in Jitterbit Integration Studio

Introduction

These are the prerequisites for using 3-legged OAuth 2.0 (3LO) with the Snowflake connector. You first create and configure a Snowflake OAuth security integration and then configure an app registration in the Management Console with the security integration.

Note

Agent version 10.83 / 11.21 or later is required to use 3-legged OAuth 2.0 authentication.

Create and configure a Snowflake OAuth security integration

Follow these steps to create and configure a Snowflake OAuth security integration:

  1. In the Snowflake interface, navigate to the Snowflake CLI.

  2. To create the security integration, run the following command with the OAUTH_REDIRECT_URI and OAUTH_CLIENT_RSA_PUBLIC_KEY parameters modified based on your implementation:

    CREATE SECURITY INTEGRATION jitterbit_app
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://apps.<region>.jitterbit.com/design-studio/api/v1/oauth/authcode'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  BLOCKED_ROLES_LIST = ('SYSADMIN')
  OAUTH_CLIENT_RSA_PUBLIC_KEY ='ABCjkl123...';

    • Set OAUTH_REDIRECT_URI to one of the following URLs (depending on your organization's region):

      Region URL
      APAC https://apps.apac-southeast.jitterbit.com/design-studio/api/v1/oauth/authcode
      EMEA https://apps.emea-west.jitterbit.com/design-studio/api/v1/oauth/authcode
      NA https://apps.na-east.jitterbit.com/design-studio/api/v1/oauth/authcode

    • For information on RSA key-pairs and obtaining a public key, refer to the Snowflake Key-pair authentication and key-pair rotation documentation.

    For more information on the CREATE SECURITY INTEGRATION command, refer to the Snowflake CREATE SECURITY INTEGRATION (Snowflake OAuth) documentation.

  3. To add the Snowflake roles expected to interact with this integration, run the following command. This example uses USERADMIN to configure an app registration in the Management Console:

    Important

    Roles set in the PRE_AUTHORIZED_ROLES_LIST must not be in the BLOCKED_ROLES_LIST defined for the security integration. Roles set in the PRE_AUTHORIZED_ROLES_LIST must also have sufficient privileges to interact with the necessary databases and schemas for activities to function as expected.

    alter security integration jitterbit_app set PRE_AUTHORIZED_ROLES_LIST = ('USERADMIN')

    For more information on Snowflake roles and access control, refer to the Snowflake Overview of Access Control.

  4. To obtain the client ID and client secret required for a valid app registration, run the following command: 

    select system$show_oauth_client_secrets('jitterbit_app');

  5. To obtain the authorization and token request URLs required for a valid app registration, run the following command: 

    DESCRIBE SECURITY INTEGRATION jitterbit_app;

    The OAUTH_AUTHORIZATION_ENDPOINT and OAUTH_TOKEN_ENDPOINT values are the authorization and token request URLs, respectively. You need these values to configure an app registration in the Management Console.

Configure an app registration in the Management Console

Follow these steps to configure required values for a Management Console private application app registration:

  1. Gather the required information from the Snowflake OAuth security integration configured above:

    • Authorized roles used in step 3. For example, USERADMIN.
    • Client ID and client secret obtained in step 4.
    • Authorization URL obtained in step 5 (OAUTH_AUTHORIZATION_ENDPOINT).
    • Access token URL and refresh token URL obtained in step 5 (OAUTH_TOKEN_ENDPOINT).

  2. In the app registration's configuration, enter each role as a scope in code format, for example, session:role:USERADMIN.

  3. Set the app's Authentication URL as <snowflake_account_url>/oauth/authorize. This value must match the OAUTH_AUTHORIZATION_ENDPOINT value.

  4. Set the app's Access token URL and Refresh token URL as <snowflake_account_url>/oauth/token-request. These values must match the OAUTH_TOKEN_ENDPOINT value.

    Note

    <snowflake_account_url> must be a valid Snowflake account URL associated with your account. For example, https://example-account123.snowflakecomputing.com.

  5. Go to Advanced options.

    In the Authentication request tab under Parameters, enter response_type as the Key and code as the Value. Then select Request URL from the Send in menu.

Once the private application is registered on the App Registrations page, it is available to be selected in the OAuth Application menu in the Snowflake connection.