Start of Main Content

A Guide to connecting your BI Tools to Snowflake using OAuth

Earlier this year, Snowflake announced plans to block single-factor authentication. Due to client feedback regarding the complexity of migrating all authentications in the original timeline, Snowflake have extended the final enforcement date to October 2026. If you are still using individual username-password authentication, this blog series is here to help you migrate in time!

What does enforcement look like? When the deadline is finally enforced, BI developers won’t be able to use their personal Snowflake login credentials when developing in BI tools, even if they have MFA enabled, finding errors like this: 


A screenshot of the Unable to connect error in PowerBI.


You now have three options to authenticate your BI tools (maybe fewer depending on your BI tool of choice): OAuth, RSA key pairs, or PAT tokens. In this blog series, we will explore these three connection options for some of the most popular BI tools.

Looking for Programmatic Access Tokens (PAT) or RSA? Check out our other blogs:

  • Breaking Up with Single-Factor: A Guide to connecting your BI Tools to Snowflake using Programmatic Access Tokens
  • Breaking Up with Single-Factor: A Guide to connecting your BI Tools to Snowflake using RSA Key-Pairs

What is OAuth?

Setting up OAuth in Snowflake

Using OAuth in your BI tool

How to use OAuth in Tableau

How to use OAuth in PowerBI

How to use OAuth in Sigma

How to use OAuth in Omni

How to use OAuth in Domo

How to use OAuth in Looker

What is OAuth?

OAuth is an authorization protocol designed to allow a website or application (like your BI tool) access resources hosted by other web apps (like Snowflake). It allows users to grant third-party services access to data without exposing their credentials.

Connections authenticated with OAuth allow your users to read data and use write-back features like input tables, warehouse views, materializations, and CSV uploads with their own individual credentials instead of a service account, which may be desirable for certain data governance use cases.

Setting up OAuth in Snowflake

Depending on your BI tool, you will have to do one of the following:

    • Tableau Desktop, Cloud, as well as Tableau Server versions 2023.3 and older.
    • Looker
    • Domo
    • Sigma
    • PowerBI
    • Tableau Server versions 2024.2 and beyond.

To create a Snowflake connection to any BI tool using OAuth, you must set up the OAuth integration in Snowflake. This requires a Snowflake user account with ACCOUNTADMIN permission. The command will vary depending on whether the connection required OAuth or External OAuth. We will include the command for each BI tool in the steps below.

Using OAuth in your BI tool

Once you have your OAuth configured in Snowflake, the next steps will be different for each BI tool, and configuration preferences, for example if you will be using an Identity Provider (IdP). Here we have detailed the steps for some of the most popular BI tools that our clients use.

How to use OAuth in Tableau

If you are using Tableau version 2024.2 or later you will need to configure the custom integration to Tableau and register OAuth for Snowflake connections: See full docs here.


Code snippet with config options for Snowflake OAuth for custom clients. 


If you are using Tableau Server versions 2023.3 and older, the connector will handle the connection.

Once it’s configured, you can set up the connection by following these steps:

  1. On the Connect screen, under To a Server, select More, and then select Snowflake.
  2. On the General tab, enter the name of the server that you want to connect to.
  3. (Optional) Enter the Role and Warehouse.
  4. Select Sign in using OAuth.
  5. In the Web page that opens, log in to Snowflake by entering your Username and Password and selecting Log In. Alternately, select Single Sign On if Snowflake is configured to support SSO.
  6. Click OK to confirm authorization to access your Snowflake data.

Screenshot of the Tableau connection section highlighting that in the “authentication” field the user should select “Sign in using Oauth”.

How to use OAuth in PowerBI

To connect PowerBI to Snowflake using OAuth you have two options:

  1. Snowflake PowerBI native driver. This is the easiest method, but it supports only Azure AD for OAuth.
  2. Using a separate IdP. For this you will need to use the Snowflake ODBC driver.

Option 1: Azure AD

  1. Create the security integration by running this command on Snowflake.
    2. Code snippet with config code in Snowflake to create security integration in pbi.
  2. Sign in to Power BI using Fabric administrator credentials.
  3. Select Settings from the page header menu, then select Admin portal > Select Tenant settings, then scroll to locate Integration settings, and enable SSO.
  4. In PowerBI desktop, Select Get Data from the Home ribbon, select Database from the categories on the left, select Snowflake, and then select Connect.
  5. In the Snowflake window that appears, enter the name of your Snowflake server in Server (It will be: <account_name>.snowflakecomputing.com) and the name of your Snowflake computing warehouse in Warehouse.
  6. When you are prompted to enter the username and password, select “Microsoft Account” instead.
  7. In Navigator, select the tables you want to connect to.
  8. Microsoft Entra ID single sign-on (SSO) only supports DirectQuery, you will not be able to use the “import” option.

Option 2: Snowflake OBDC driver (We will use Okta in this example)

  1. Download the OBDC driver from Snowflake.
  2. Configure a system or user DSN and set the parameter Authenticator to EXTERNALBROWSER.
    3. Screenshot of the Snowflake configuration window with sample DSN parameters showing the field “authenticator” is set to “externalbrowser”.
  3. In PowerBI: Use the ODBC driver for the connection instead of the default Snowflake.
    4. Screenshot of the connections screen showing selection of ODBC driver for the connection instead of the default Snowflake.
  4. Select the Data source name (DSN) you created.
    5. Screenshot of the ODBC connection screen showing that the DSN is the one created previously.
  5. Set the authenticator to EXTERNALBROWSER.
  6. Enter your Okta username and password.

How to use OAuth in Sigma

Sigma offers two OAuth options:

  1. Scenario 1: If you are using OAuth to authenticate users to your Sigma organization with an external IdP (Okta, Microsoft Entra ID, Auth0, or PingIndentity) you can re-use that OAuth configuration for the Snowflake connection.
  2. Scenario 2: If you don’t use OAuth or you don’t want to reuse it, you have the alternative to set up a unique OAuth configuration for this connection.

Scenario 1:

  1. Navigate to Administration > Connections and click Create Connection.
  2. Configure a Snowflake connection with your Snowflake account and warehouse. For Authentication select OAuth.
  3. Enable the toggle next to Use organization-level OAuth configuration. If you do not use OAuth as your authentication method for your Sigma organization, this option will not be present, see Scenario 1.
  4. If you require a service account for writeback features, this can only be set up with RSA key pair authentication, please see our article on RSA.

Scenario 2:

  1. Configure a Sigma OAuth application. The process is well documented in Sigma’s documentation here.
  2. Create the security integration by runnign this command on Snowflake. This is an example using Okta but you can replace okta with your IdP.
    1. EXTERNAL_OAUTH_TYPE: Specifies the type of external OAuth provider (Okta in this case).
    2. EXTERNAL_OAUTH_ISSUER: The Issuer URL from your Okta authorization server.
    3. EXTERNAL_OAUTH_JWS_KEYS_URL: The JWKS URL for fetching the signing keys.
    4. EXTERNAL_OAUTH_AUDIENCE_LIST: Specifies the expected audience of the OAuth token.
    5. EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM: The claim in the OAuth token that maps to the Snowflake user (usually sub for subject).
    6. EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE: The Snowflake email attribute to map the OAuth claim to email address, but this can be customized based on your setup.
    7. EXTERNAL_OAUTH_ANY_ROLE_MODE: Enables or disables the ability for the user to assume any role specified in the token.
    Code snippet with config code in Snowflake to create security integration using Okta in Sigma.
  3. Log into Sigma as Administrator and navigate to Administration > Authentication. Click Edit.
  4. In the Metadata URI field, enter the OAuth metadata URI you obtained in step 1.
  5. In the Redirect URI field, use the copy icon to copy the redirect URI to your clipboard, to use when configuring your OAuth configuration in your IdP.
  6. In the Client ID field, enter the client ID from your OAuth application that you obtained in step 1.
  7. If you configured your application in step 1 to require Proof Key for Code Exchange (PKCE) or JWT bearer tokens, check the corresponding box. Otherwise, In the Client Secret field, enter the client secret from your OAuth application that you obtained in step 1.
    8. Screenshot of the Sigma “authentication method & options” Showing that Authentication Method is set to “Oauth or password”, and highlighting the sections that need to be filled in with the data from the IdP: “Metadata URI”, “Client ID”, and “Client Secret”
  8. Navigate to Administration > Connections and click Create Connection.
  9. Configure a Snowflake connection with your Snowflake account and warehouse. For Authentication select OAuth.
    10. Screenshot of the Sigma connection section highlighting that in the Connection Details, Snowflake has been selected. In the “Account” field, the account has been inputted. In the “warehouse” field we have the warehouse name, and in the “authentication” field the user should select “Oauth”.
  10. If you require a service account for writeback features, this can only be set up with RSA key pair authentication, please see our article on RSA.

How to use OAuth in Omni

At the time of this article, Omni doesn’t support OAuth on Snowflake. This is an upcoming feature. Please see our article on RSA Key Pairs which Omni does support.

How to use OAuth in Domo

  1. Configure the Snowflake security integration
    2. Code snippet with config code in Snowflake to create security integration for Domo.
  2. Run this command to obtain the client ID and secret.
    3. Code snippet showing snowflake command to show oauth client secrets for domo.
  3. Navigate to the Data Warehouse and select Add New Cloud Integration on the canvas.
  4. In the modal, select Snowflake. Then click Add new integration on the bottom right.
  5. Enter the Integration name — A unique name to help you identify the integration in Domo. If configuring OAuth, this name is how Domo users view the reference to the Snowflake native connection. It is not the same as the integration name, and has no impact for Snowflake.
  6. In Snowflake connection URL enter your Snowflake URL with format: <orgname>-<account_name>.snowflakecomputing.com.
  7. In the username and private key file sections, enter your service user credentials. These must be RSA key pairs. Please see our article on RSA for details.
  8. Under Configure OAuth, toggle the switch to enable OAuth. Under Client ID and Client secret enter the values you obtained from snowflake earlier.
    9. Screenshot of the Domo screen to configure a Snowflake cloud integration. It shows that “Snowflake client ID” has been filled, “Snowflake client secret” has been filled, and under “role usage” we have selected “use default role”. The button “authenticate” is highlighted indicating we can test the connection before clicking “next”.
  9. Choose the Snowflake role and Click Authenticate.
  10. Enter your snowflake credentials, and allow the integration.
  11. Adjust how frequently Domo should check for updates and click Next.
    12. Screenshot of the second Domo screen to configure a Snowflake cloud integration. It shows that under “configure Oauth” we have enabled “use Oauth per-user authentication”. In the next section we have enabled “automatically check for data updates” and it’s configured every 15 min for both updates and cache TTL.
  12. Select the warehouse and click next to finalize the connection.

How to use OAuth in Looker

Please note that PDTs are not supported for Looker to Snowflake connections that use OAuth, if you use PDTs we recommend you use RSA for your connection. Please see our article on RSA tokens for connection instructions.

  1. Set up the OAuth integration in Snowflake. Run the following command in Snowflake, where <looker_hostname> is the hostname of your Looker instance:
    2. Code snippet with config code in Snowflake to create security integration for Looker.
  2. Get the OAuth client ID and secret by running the following command. The response will have an OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET that you will need later in this procedure.
    3. Code snippet showing snowflake command to show oath client secrets for looker.
  3. In the Admin section of Looker, select Connections, and then click Add Connection.
  4. In Database Settings - Host: Enter the Snowflake hostname. It will be: <account_name>.snowflakecomputing.com.
  5. In Database Settings - Authentication Method: Select OAuth.
  6. Paste in the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET values that you got from your database.

OAuth is just one of the options you have to authenticate your BI tool connection to Snowflake. Please check out our other blogs on PAT and RSA Key pairs to see other secure alternatives, or to see how to set up your service user.

Need help setting up your snowflake to BI connection fast before the deprecation deadline? Contact us, we are already helping our clients switch their connection.

Published:
  • Data and Analytics Engineering
  • Analytics and Visualizations
  • Data Governance and Security
  • Data Reporting and Dashboarding
  • Data Warehouse
  • Data Governance
  • Business Intelligence
  • Snowflake
  • Looker
  • PowerBI
  • Tableau
  • Omni
  • Sigma
  • Domo

Take advantage of our expertise on your next project

Contact Us