SNOW-2300649: Support for oauth token requests with client secret in the body #2508
Description
What is the current behavior?
Currently, when trying to use authenticator="OAUTH_CLIENT_CREDENTIALS", the implementation (in class AuthByOauthCredentials) sends the client secret in basic auth.
Unfortunately, however, our oauth server accepts them only in the request body. So the currently made http request made by snowflake-connector-python is rejected by the oauth server and retrieving an access token fails.
While I'm aware the server should accept the basic auth, I cannot easily change the server behavior and we need some form of solution to make the snowflake client work with our oauth implementation.
What is the desired behavior?
We need compatibility between snowflake-connector-python and oauth server that require the client credentials in the http request body. I can think of two solutions:
- support sending client secret in the request body; this would solve our immediate issue
- make a more generic change to allow overriding authentication and e.g. allow that the
auth_classargument ofconnectto be classes other than built-in auth classes or subclasses ofAuthByKeyPair, which is the current restriction. For example, also allow (customized) subclasses of built-in classes such asAuthByOauthCredentials. This would not only address this issue but potential similar auth-related (compatibility) issues in the future without changing snowflake-connector-python each time.
For 1., the required change would be to these lines of AuthByOauthCredentials._request_tokens which would need to change the fields definition to:
fields = {
"grant_type": "client_credentials",
"scope": self._scope,
"client_id": self._client_id,
"client_secret": self._client_secret,
}This is enough to make it work with out OAuth server. One option could be to include these extra fields conditionally based on a new option (e.g. oauth_token_request_mode or similar). I have created and linked a draft PR to show how this could work. Note that this PR is not complete and (at the very least) still requires tests.
How would this improve snowflake-connector-python?
Broader oauth compatibility.
References and other background
We are forced by snowflake to move away from username/password for snowflake service users. Our company chose to move to oauth (and not e.g. use key pairs) to limit the number of authentication methods (across different services, where snowflake is only one of these). Oauth compatibility should be improved accordingly to make this move smoother.