feat: Support Snowflake SPCS OIDC authentication with dual credentials #3215
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snowflake SPCS deployments with OIDC now require both a Snowflake connection name and a Connect API key for authentication. This change updates the credential validation logic and account authentication type detection to support this new requirement. Changes: - credentials.go: Updated validation to require both SnowflakeConnection and ApiKey for ServerTypeSnowflake credentials - account.go: Modified AuthType() to prioritize Snowflake connection detection since it's the most specific case, and added documentation about the dual authentication requirement This aligns with changes in Snowflake SPCS where proxied authentication headers no longer carry sufficient user identification information, necessitating the use of Connect API keys in addition to Snowflake tokens. Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Implements the authentication mechanism for Snowflake SPCS with OIDC support
by sending both Snowflake tokens and Connect API keys in separate headers.
Changes:
- snowflake.go:
- Added apiKey field to snowflakeAuthenticator struct
- Updated NewSnowflakeAuthenticator to accept apiKey parameter
- Modified AddAuthHeaders to set both Authorization (Snowflake token) and
X-RSC-Authorization (Connect API key) headers
- Enhanced documentation to explain the dual-header OIDC authentication
- auth.go:
- Updated NewClientAuth to pass the API key when creating Snowflake
authenticators
The Authorization header contains the Snowflake token for proxied authentication,
while the X-RSC-Authorization header contains the Connect API key for OIDC
authentication. This dual-header approach ensures proper authentication with
Connect servers deployed in Snowflake SPCS.
Related: posit-dev/rsconnect-python#715
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Updates all tests to reflect the new dual-credential requirement for Snowflake
SPCS authentication with OIDC support.
Changes:
- snowflake_test.go:
- Updated all NewSnowflakeAuthenticator calls to include API key parameter
- Added assertions to verify API key is properly stored in authenticator
- Enhanced TestAddAuthHeaders to verify both Authorization and
X-RSC-Authorization headers are set correctly
- Added test case for authenticator without API key to ensure the header
is only set when an API key is provided
- file_test.go & keyring_test.go:
- Updated Snowflake credential creation tests to include API key
- Changed expected API key assertions from empty string to test API key
All tests pass, confirming that the OIDC authentication changes work correctly
while maintaining backward compatibility.
Related: posit-dev/rsconnect-python#715
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
… extension Adds a new input step in the VSCode extension credential creation flow to prompt users for a Connect API key when creating Snowflake SPCS credentials. Changes: - Added INPUT_SNOWFLAKE_API_KEY step to the credential creation flow - Implemented inputSnowflakeAPIKey() function that: - Prompts users for the Connect API key with password masking - Validates API key syntax using existing validation logic - Provides clear messaging about OIDC authentication requirements - Updated isValidSnowflakeAuth() to require both snowflakeConnection and apiKey - Modified inputSnowflakeConnection() to navigate to the API key input step before proceeding to credential naming The new flow for Snowflake SPCS credentials is: 1. Enter server URL 2. Select Snowflake connection 3. Enter Connect API key (NEW) 4. Name the credential This ensures users provide both authentication components needed for Snowflake SPCS deployments with OIDC authentication. Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Documents the Snowflake SPCS OIDC authentication changes in both the main repository and VSCode extension changelogs. Changes: - Added entries to "Unreleased > Fixed" sections explaining that Snowflake SPCS authentication now requires both a Snowflake connection name and a Connect API key - Documented the dual-header authentication approach (Authorization for Snowflake token, X-RSC-Authorization for Connect API key) - Explained the reason for the change: proxied authentication headers in Snowflake SPCS no longer carry sufficient user identification information with the move to OIDC Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
costrouc
force-pushed
the
feat-support-snowflake-spcs-oidc
branch
from
2f6d36c to
bb0fc20
Compare
|
This PR still requires manual testing which I will start on Monday. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support Snowflake SPCS OIDC authentication with dual credentials
Intent
Adapts the Snowflake SPCS OIDC authentication changes from
rsconnect-python#715 to the
publisher repository.
Prior to recent changes on the Snowflake side, proxied authentication headers carried
enough information for Connect running in Snowflake SPCS to identify users. With the move
to OIDC, Connect servers no longer trust Snowflake headers for username identification.
This requires users to provide both a Snowflake connection (for proxied authentication)
and a Connect API key (for OIDC authentication).
Type of Change
Approach
The implementation follows the same pattern as rsconnect-python:
Backend (Go):
SnowflakeConnectionandApiKeyforSnowflake SPCS credentials
Authorization: Snowflake token (for proxied authentication)X-RSC-Authorization: Connect API key (for OIDC authentication)specific case)
Frontend (VSCode Extension):
SPCS credentials
Credential Name
Trade-offs:
their credentials with a Connect API key
model
User Impact
Breaking Change for Snowflake SPCS Users:
Connect API key
Benefits:
headers
Automated Tests
snowflake_test.goto verify dual-header authenticationfile_test.goandkeyring_test.goto test credential validation with bothfields
The tests verify:
AuthorizationandX-RSC-Authorizationheaders are set correctlyDirections for Reviewers
Backend Review:
internal/credentials/credentials.go:274-278internal/api_client/auth/snowflake.go:72-88internal/api_client/auth/snowflake_test.goFrontend Review:
extensions/vscode/src/multiStepInputs/newConnectCredential.tsTesting:
Run the authentication and credential tests:
go test ./internal/credentials/... ./internal/api_client/auth/... ./internal/accounts/... -vCompare with rsconnect-python:
Checklist