# Snowflake with External OAuth Setup ## verview This document provides an overview of how TrustLogix uses Snowflake External OAuth to secure access to our Snowflake data warehouse. It outlines the general process, supported Identity Providers (IdPs), and configuration guides. ### What is External OAuth External OAuth allows Snowflake to leverage an external, trusted Identity Provider (IdP) for user authentication and authorization. This enables a seamless Single Sign-On (SSO) experience for programmatic clients (like Azure AD or Okta) and aligns Snowflake access with TrustLogix's central identity and access management policies. ### Supported **OAuth Provider** TrustLogix supports external authorization servers, custom clients, and partner application integration, which are natively supported by Snowflake. Choose one of the supported providers:

Snoflake Doc	Snowflake Community Doc Link
Okta	Okta
Microsoft Entra ID	Microsoft Entra ID
Ping Identity PingFederate
External OAuth Custom Clients
Microsoft Power BI
Sigma

**Note**: We recommend consulting the official Snowflake documentation for the latest configuration details and prerequisites. ### Configuration Overview The external OAuth setup is a two-part process that establishes a trust relationship between your IdP provider and Snowflake. 1. Configure an App registration as OAuth client. 2. Request and decode the OAuth access token. 3. Create an External OAuth Security Integration in Snowflake 4. Verify the Access Token against the security integration. 5. Alter TrustLogix user in Snowflake 6. Register Snowflake account using the access token. #### Step 1: Configure an App registration as OAuth client. * Refer to the Snowflake official document to register IdP provider applications. * Get the below value from IdP. * OAuth token endpoint. * Application scope * Client ID * Client secret * Use the TrustLogix role in the application scope: Ex:- session:role:\ #### Step 2: Request and decode the OAuth access token. 1. Refer to the Snowflake official document to prepare the CURL command to request the access token using the client\_credentials grant. 2. **Decode the OAuth Access Token** 1. Copy the value of the **access\_token** and decode it on an online decoder of your choice (e.g. [jwt.ms](https://jwt.ms/)), it will provide the details present in the token. 2. Make sure the following attributes from the decoded token match the configuration in the external authorization server. * issuer * audience * roles #### Step 3: Create an External OAuth Security Integration in Snowflake Now configure the Snowflake account to trust and accept the access token generated in Step 2. * ISSUER * AUDIENCE * JWS\_KEY\_ENDPOINT > create security integration external\_oauth\_integration\ > type = external\_oauth\ > enabled = true\ > external\_oauth\_type = \\ > external\_oauth\_issuer = '\'\ > external\_oauth\_jws\_keys\_url = '\'\ > external\_oauth\_audience\_list = ('\')\ > external\_oauth\_token\_user\_mapping\_claim = 'sub'\ > external\_oauth\_snowflake\_user\_mapping\_attribute = 'login\_name'; #### Step 4: Verify the Access Token against the Security Integration Now that the security integration is created in Snowflake, it can accept or reject an access token issued from an OAuth provider client based on the configuration. Use the function [SYSTEM$VERIFY\_EXTERNAL\_OAUTH\_TOKEN](https://docs.snowflake.com/en/sql-reference/functions/system_verify_ext_oauth_token) to confirm whether your token will be accepted by the Snowflake account or not.

Verify Token query

``` SELECT SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN('eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsIm.......FTU5nctRpmaA'); ```

A successful validation would look like the below: > Token Validation finished. { "Validation Result":"Passed", "Issuer":"issuer endpoint/", "**Extracted User claim(s) from token**":"3d63xxxxxxxx0652895d" } Please note down the value get from the token validation response `Extracted User claim(s) from token` . We will use it in the next step. #### Step 5: Alter TrustLogix user in Snowflake Finally, alter the TrustLogix Snowflake user and use `Extracted User claim(s) from token` (the value from step 4 in LOGIN\_NAME). Ex: `ALTER USER TLX__CP_USER SET LOGIN_NAME = "3d63xxxxxxxx0652895d" TYPE = 'SERVICE'` #### Step 6: Register a Snowflake account using the access token. * Once the token validation is successful, we can register the Snowflake account in TrustLogix. * Enter all the details in the TrustLogix registration page, and click on save.
* ```

``` ## External OAuth Authentication Setup For **Customer-hosted TrustLet** Below are the additional steps required for Customer-hosted TrustLet or hybrid tenant. 1. Follow these steps mentioned above to create data plane user 1. Configure an App registration as the OAuth Resource server 2. Request and decode the OAuth access token. 3. Alter the External OAuth Security Integration created for the DP user 1. Run the describe command to check the audience list for the security integration created for the CP user. ``` desc security integration EXTERNAL_OAUTH_AZURE; ``` 2. Alter Security Integration to add audience for DP user(include all audience from output of the above command)

ALTER SECURITY INTEGRATION EXTERNAL_OAUTH_INTEGRATION
      SET EXTERNAL_OAUTH_AUDIENCE_LIST = ('<audience_1>', '<audience_2>', ...);

4. Verify the Access Token against the Security Integration 5. Alter TrustLogix user in Snowflake 2. Set following key and value * Trustlet is hosted on AWS ECS (Amazon Elastic Container Service) ``` tlx///role tlx///username tlx///jdbcurl tlx///warehouse tlx///clientSecret tlx///clientId tlx///scope tlx///tokenUrl ``` * Trustlet is hosted on Azure Kubernetes Service (AKS) ``` tlx---role tlx---username tlx---jdbcurl tlx---warehouse tlx---clientSecret tlx---clientId tlx---scope tlx---tokenUrl ``` > Please note that the value username (`tlx///username` or `tlx---username`) must match the `LOGIN_NAME` used in Step 5. For example: > > `tlx///username` = `672a90b3-xxxx-xxxx-xxxx-xxxx2f7befef` *** ## Final Steps to Confirm Setup After completing the configuration: * Create a **test policy** on a sample dataset. * Deploy the policy. * If the policy creation and deployment flow proceeds without errors (during database/schema selection and deployment), then the **External OAuth setup is successful**.