Azure SCIM Integration with Snowflake - use Azure AD OAuth Token

Question

Hello,

We are working on a project where we have a WebApp in Azure on which some Python code is deployed. Users of our platform/project need to request an access token from this webapp (Application registration associated with it; uisng AzureCli DefaultCredential) to send API requests/calls to our code. The access token returned by our App Reg looks like the following:

{
  "aud": "WEBAPP-APP-REG-CLIENT-ID",
  "iss": "https://login.microsoftonline.com/TENANT_ID/v2.0",
  "iat": 1700764081,
  "nbf": 1700764081,
  "exp": 1700768440,
  "aio": "AIO",
  "azp": "AZURE-CLI_OBJECT_ID",
  "azpacr": "0",
  "name": "USER FULL NAME",
  "oid": "USER OBJECT/PRINCIPAL ID",
  "preferred_username": "USER EMAIL ADDRESS",
  "rh": "RH_VALUE",
  "roles": [
    "HTTPEndpoints.Use.All"
  ],
  "scp": "default_scope read",
  "sub": "SUB_VALUE",
  "tid": "TENANT_ID",
  "uti": "UTI_VALUE",
  "ver": "2.0"
}

The code of the client used to request this access token by the user is the following:

from azure.identity import DefaultAzureCredential
authority="https://login.microsoftonline.com/{TENANT_ID}/v2.0"
credential = DefaultAzureCredential(authority=authority, exclude_shared_token_cache_credential=True)
scope = "api://{WEBAPP-APP-REG-CLIENT-ID}/.default"
access_token= credential.get_token(scope, logout=True).token

Now we want to add another application registration which will serve (with some python connector code deployed on it) to send/execute SQL queries sent by the user to snowflake and return the result of that query to the user. In other words, the user sends its SQL query in the body of the API call with the provided access token above as Authorization Header. Then, when the webapp authenticates this token, it will forward the request and the token to the connector app, which will use the user's access token to connect to snowflake like the following:

import snowflake.connector
conn = snowflake.connector.connect(
        user='USER EMAIL ADDRESS',
        token=access_token,
        role='ROLE',
        account=account,
        warehouse=warehouse,
        database=database,
        authenticator='oauth', 
        client_session_keep_alive=True,
        max_connection_pool=20
    )

However this fail because from our company side, we have to go through SCIM integration to use users tokens to connect directly to Snowflake. However, we have no idea and it is confusing for us how to pre-process the above access token with SCIM integration and send it to snowflake? I do not know if it is even possible to re-use this access token and generate a new one using SCIM protocol. I really appreciate some guiding steps to achieve that if it is doable. Thanks.

Answer 1

Hi @Aniss Chohra ,

Thanks for reaching out.

Based on the information you provided, it seems that you want to use SCIM integration to use user tokens to connect directly to Snowflake. However, it is not possible to pre-process the access token with SCIM integration and send it to Snowflake.

SCIM is a protocol used for user provisioning and deprovisioning. It is not used for authentication or authorization. In your case, you are already using Azure AD for authentication and authorization, and you have obtained an access token that can be used to access your web app.

You can create a new application registration in Azure AD for your Snowflake app and grant it the necessary permissions to access Snowflake. Then, you can use the access token obtained from your web app to authenticate the user and pass it to your Snowflake app.

In your Snowflake app, you can use the access token to authenticate the user and connect to Snowflake.

Reference - Configure Azure AD external OAuth for a Snowflake connection

Hope this will help.

Thanks,

Shweta