Skip to content

feat: add API key support for SPCS authentication #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

feat: add API key support for SPCS authentication #1244

wants to merge 2 commits into from

Conversation

@costrouc
Copy link
Member

@costrouc costrouc commented Oct 25, 2025
edited
Loading

Summary

Prior to recent changes on the Snowflake side, proxied authentication headers carried enough information for Connect running in Snowflake SPCS to identify users. With the move to OIDC, Connect servers no longer trust Snowflake headers for username identification. This requires users to provide both a Snowflake connection (for proxied authentication) and a Connect API key (for OIDC authentication).

Adds API key support for Snowflake SPCS (Snowpark Container Services) authentication due to changes in native application authentication using OIDC. Connect within the SPCS native application no longer relies on Snowflake headers to determine the user. You can think of the SPCS private key now only being used for proxied authentication to pass the request through and the api key is used by connect

Problem

SPCS deployments require a dual authentication model:

  • Snowflake tokens provide proxied authentication to reach the Connect server
  • API keys identify the user to the Connect server itself

Previously, connectSPCSUser() only handled Snowflake token authentication through the
snowflakeConnectionName parameter. The API key was not captured or transmitted,
preventing proper user identification by the Connect server.

Solution

  • Added apiKey as a required parameter to connectSPCSUser()
  • Updated authHeaders() to include the API key in the X-RSC-Authorization header when
    both snowflakeToken and apiKey are present
  • Store apiKey in account registration alongside snowflakeConnectionName
  • Updated documentation to explain the dual authentication model

This mirrors the authentication pattern implemented in
rsconnect-python#715.

Changes

  • R/http.R: Modified authHeaders() to add X-RSC-Authorization header for SPCS
  • R/accounts.R: Updated connectSPCSUser() and getSPCSAuthedUser() to accept and use
    API key
  • man/connectSPCSUser.Rd: Updated function documentation
  • tests/testthat/test-spcs.R: Added test coverage for API key handling
  • NEWS.md: Documented the breaking change

Breaking Change

connectSPCSUser() now requires an apiKey parameter. Existing code will need to
be updated:

# Before
connectSPCSUser(
  server = "my-spcs-server",
  snowflakeConnectionName = "my_connection"
)

# After
connectSPCSUser(
  server = "my-spcs-server",
  apiKey = "my-api-key",
  snowflakeConnectionName = "my_connection"
)

Testing

  • Added test for X-RSC-Authorization header inclusion
  • Added test for storing both apiKey and snowflakeConnectionName in account registration
  • All existing SPCS tests continue to pass

costrouc and others added 2 commits October 25, 2025 08:22
@costrouc @claude
Add API key support for SPCS authentication
dc0f919 
SPCS (Snowpark Container Services) deployments require a dual
authentication model:
- Snowflake tokens provide proxied authentication to reach the server
- API keys identify the user to the Connect server itself

Changes:
- Updated authHeaders() to include X-RSC-Authorization header when both
  snowflakeToken and apiKey are present
- Added apiKey parameter to connectSPCSUser() function
- Updated getSPCSAuthedUser() to accept and use apiKey
- Store apiKey in account registration alongside snowflakeConnectionName
- Updated function documentation to explain the dual authentication model
- Added comprehensive test coverage for API key handling

This aligns with updated Connect server requirements for Snowflake SPCS
deployments and mirrors the authentication pattern in rsconnect-python.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@costrouc @claude
Update NEWS.md for SPCS API key support
5882d55 
Document the addition of API key support for SPCS authentication,
including the breaking change to connectSPCSUser() which now requires
an apiKey parameter.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@costrouc
Copy link
Member Author

I will be testing this out on Monday

@costrouc
Copy link
Member Author

Related PR posit-dev/rsconnect-python#715

@costrouc costrouc marked this pull request as draft October 26, 2025 12:56
@aronatkins
Copy link
Contributor

To test, install this branch like:

remotes::install_github("costrouc/rsconnect", "feat-support-snowflake-spcs-oidc")

@aronatkins aronatkins mentioned this pull request Oct 28, 2025
Merged
@aronatkins
Copy link
Contributor

Replaced by #1248

@aronatkins aronatkins closed this Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@costrouc @aronatkins