Configure Auth0 for a Snowflake connection
Learn how to configure Auth0 for a Snowflake connection.
Steps to retrieve OAuth details from the Auth0 application
-
Sign in to Auth0 and create an Auth0 application.
-
Navigate to the Applications section in the Auth0 dashboard.
-
Under Application type, choose Regular Web Application.
-
Under Application technology, choose Java.
-
-
Gather the basic credentials.
-
Under the application’s Settings tab, collect the following information:
-
Client ID
-
Client Secret
-
Issuer, or domain. It will be in the format
https://<domain>/.
-
-
-
Locate the OAuth endpoints.
-
Navigate to the Endpoints tab under Advanced Settings.
-
Note the following URLs:
-
OAuth Authorization URL
-
OAuth Token URL
-
JSON Web Key Set (JWKS) URL
-
-
Create an API in Auth0 and configure permissions
-
Go to the APIs section in the Auth0 dashboard and select Create API.
-
Provide a Name and an Identifier-- the identifier will be used as the
aud(audience) in tokens and must match the value set forEXTERNAL_OAUTH_AUDIENCE_LISTin your Snowflake security integration. -
After creating the API, navigate to the Permissions tab and add the following scope:
session:role-anyThis allows the authenticated user to assume any role in Snowflake.
Create a user in Auth0 and assign permissions
-
Create a user in Auth0.
-
Go to the Auth0 dashboard and navigate to Users under User management.
-
Click Create User.
-
Fill in the following user details:
-
Email
-
Password
-
-
Choose the connection (for example, username-password-authentication).
-
Click Create.
-
-
Navigate to the Permissions tab.
-
Click Add Permissions and select the API you created for Snowflake.
-
Confirm the scope:
session:role-any.
-
Create a script to create custom claim and assign all the scopes to the token
-
Navigate to Actions and select Build a New Action under Library.
-
Add a name, for example, Add custom claim and scopes.
-
-
Set the trigger as Post Login.
-
Paste the following script:
exports.onExecutePostLogin = async (event, api) => { let scopes = (event.request.query.scope || '').split(" "); for (let i = 0; i < scopes.length; i++) { if (scopes[i]) { api.accessToken.addScope(scopes[i]); } } const user = event.user; // Set the UPN to the user's email or another custom field api.idToken.setCustomClaim("upn", user.name); api.accessToken.setCustomClaim("upn", user.name); };This script will add a custom claim (for example,
upn), and add all the scoped granted to the user (form their roles/permissions) into the Access Token. -
To deploy the action, click Deploy and Attach to Post Login Flow.
Create security integration in Snowflake
-
Create security integration in Snowflake using the following:
CREATE or replace SECURITY INTEGRATION <Integration name> TYPE = EXTERNAL_OAUTH ENABLED = TRUE EXTERNAL_OAUTH_TYPE = CUSTOM external_oauth_any_role_mode = 'ENABLE' EXTERNAL_OAUTH_ISSUER = '<Issuer>' external_oauth_audience_list = ('<audience>') EXTERNAL_OAUTH_JWS_KEYS_URL = '<jws-key-json-url>' EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn' EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name' EXTERNAL_OAUTH_SCOPE_DELIMITER=' ' EXTERNAL_OAUTH_SCOPE_MAPPING_ATTRIBUTE = scope;
Create a user in Snowflake
-
Create user in Snowflake using the following:
CREATE or replace USER "<email>" COMMENT = 'auth0' DEFAULT_ROLE = DEV MUST_CHANGE_PASSWORD = FALSE LOGIN_NAME = '<email>';The user should have a default role and warehouse assigned.
Since EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE is specified as upn, it should match with the name of the user created in Auth0.
Create the connection in ThoughtSpot
-
Navigate to ThoughtSpot’s Data workspace tab, select + Create new, and click Connection.
-
Select Snowflake as the type and click Next.
-
Select External OAuth as the authentication type and fill out all fields.
-
Under Advanced Config, fill in the following key-value pair:
-
Key: appendToAuthURL
-
Value: audience=<audience>
-
-
Create the Connection.
