Feat support snowflake spcs OIDC #717
Open
+39
−22
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit is mainly meant as an example to complement changes in how we will be performing authentication within the Snowflake Posit Team Native Application. When / if that PR of work for OIDC goes through this will serve as a good example of how it can be supported. I think this PR also highlights the importance of OIDC device flow authentication which is supported in PPM https://packagemanager.rstudio.com/__docs__/admin/appendix//cli/rspm_login_sso.html which would again eliminate the need for an api key. I REALLY like how this package uses the snow command to generate the jwt used for snowflake ingress as this means our Posit libraries don't have to re-implement the snowflake authentication. Going to put this PR in draft and will contribute more after I share this with our team tomorrow at Standup.
This commit refines the Snowflake SPCS (Snowpark Container Services) OIDC authentication implementation to better align with existing codebase patterns and improve type safety. Changes: - Make SPCSConnectServer.api_key Optional[str] to match RSConnectServer - Add comprehensive docstring to SPCSConnectServer class explaining SPCS deployment and authentication approach - Reorder RSConnectExecutor server type detection to check for snowflake_connection_name first, as SPCS is more specific than generic Connect deployment - Ensure api_key is passed to SPCSConnectServer in all instantiations (RSConnectExecutor.__init__ and validate_spcs_server) - Add null check before setting X-RSC-Authorization header to fix type checking error - Update all test cases in SPCSConnectServerTestCase to pass api_key parameter and verify it's set correctly All SPCS-specific tests pass. The implementation now follows the established patterns for server authentication while maintaining backward compatibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add changelog entry documenting the fix for Snowflake SPCS authentication to properly handle API keys and align with codebase patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified Files
|
aronatkins
reviewed
Oct 28, 2025
There was a problem hiding this comment.
Additional changes needed:
rsconnect-python/rsconnect/metadata.py
Lines 350 to 357 in f06b8ee
|
Additional changes needed: rsconnect-python/rsconnect/main.py Lines 587 to 595 in f06b8ee |
|
Both changes have been made and I have been able to successfully deploy to SPCS-hosted Connect using a saved server configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Moved to a branch within the repository to run tests so closed PR #715
Intent
Prior to recent changes on the Snowflake side, proxied authentication headers carried enough information for Connect running in Snowflake SPCS to identify users. With the move to OIDC, Connect servers no longer trust Snowflake headers for username identification. This requires users to provide both a Snowflake connection (for proxied authentication) and a Connect API key (for OIDC authentication).
This commit is how we will be performing authentication within the Snowflake Posit Team Native Application. This will serve as a good example of how it can be supported in the rsconnect* packages. Posit Connect supports alternate headers for authorization https://docs.posit.co/connect/admin/authentication/proxied/#api-use.
I think this PR also highlights the importance of OIDC device flow authentication which is supported in PPM
https://packagemanager.rstudio.com/__docs__/admin/appendix//cli/rspm_login_sso.html which would again eliminate the need for an api key which this PR reintroduces for SPCS.
Example
Type of Change
Approach
Automated Tests
Directions for Reviewers
Checklist