snowflake-connector-python icon indicating copy to clipboard operation
snowflake-connector-python copied to clipboard

Published 20 hours ago verified publisher icon snowflakedb

SNOW-581157: Okta authenticator : 401 Unauthorized (missing authn step)

Open ppo-38 opened this issue 2 years ago • 2 comments

Context and current Behaviour :

Context :

  • On Okta, users have to connect with their own credentials plus a second factor (okta push for exemple)
  • On Okta, we use the Snowflake application configured with the authentication policy "Password only"
  • On Snowflake, users just have to use the single sign on button to connect to the Snowflake console (and access is fully operational)
  • However, users cannot use the Python connector with their Okta connection

Behaviour : Connection to Okta failed by using the authenticator properties :

def get_snowflake_connection() -> snowflake.connector.SnowflakeConnection:
  return snowflake.connector.connect(
        user = "<okta_username>",
        password = "<okta_password>",
        authenticator = "https://<okta_account>.okta.com",
        account = "<snowflake_account>.<snowflake_region>",
)

Error : 250001 (08004): Failed to get authentication by OKTA: 401: Unauthorized

Current steps on Okta connection :

On module connector/auth_okta.py, here are the 5 steps to connect :

  • step 1 : query snowflake api (/session/authenticator-request) to get token_url and sso_url
  • step 2 : chek that token_url and sso_url have same prefix
  • step 3 : query token_url with user/password to get a cookie token
  • step 4 : query sso_url with the cookie token to get saml response
  • step 5 : check that post bak url from saml response match snowflake url (http://<...>.snowflakecomputing.com/fed/login)

Problem analysis :

  • Here is the token_url received from step 1 : https://<okta_account>okta.com/api/v1/sessions?additionalFields=cookieToken
  • Okta module query this token_url on step 3 with user/password while okta documentation on /api/v1/sessions indicates that we can only use a sessionToken

Proposed solution :

  • Adding a step just before step3 to first authenticate on okta and received a session token
  • For this, we can use /api/v1/authn with user/password.
  • With the session token received, query the token_url
  • Continue with existing step 4 and 5

ppo-38 avatar Apr 23 '22 13:04 ppo-38

Any update on this? The okta auth is essentially broken now right?

m-o-leary avatar Aug 24 '22 20:08 m-o-leary

For those that are coming to this, everything is working as normal, can close this ticket. Docs should be updated though...

Steps to follow:

NOTE: SNOWFLAKE_USER was something different than I had used in past, must've gotten updated when company switched to Okta to login to SnowFlake.

To Find Snowflake Username:

  1. Login to Snowflake in browser
  2. Click on your name on the top right corner
  3. Go to Preferences and check your login name (not email or anything else)
  4. copy that login name exactly (case sensitive)
snowflake_connection = snowflake.connector.connect(
    authenticator='externalbrowser',
    user=<SNOWFLAKE_USER>,
    account=<SNOWFLAKE_ACCOUNT>,
    database=<SNOWFLAKE_DB>,
    schema=<SNOWFLAKE_SCHEMA>,
    warehouse=<SNOWFLAKE_WAREHOUSE>
)

jacob-coalition avatar Sep 08 '22 01:09 jacob-coalition