Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-675319: Support JWT authentication by passing in a valid JWT token directly in the DSN #671

Open
mihaitodor opened this issue Oct 10, 2022 · 3 comments
Assignees
Labels
enhancement The issue is a request for improvement or a new feature status-triage_done Initial triage done, will be further handled by the driver team

Comments

@mihaitodor
Copy link

Issue description

Currently, I can use the following DSN: <snowflake_user>@<snowflake_account>/<db_name>/<schema_name>?warehouse=<warehouse>&role=<role>&authenticator=snowflake_jwt&privateKey=<bae64_url_encoded_private_key>.

However, it's not a good security practice to embed the private key into the DSN, so I'd rather pass in a generated JWT like so: <snowflake_user>@<snowflake_account>/<db_name>/<schema_name>?warehouse=<warehouse>&role=<role>&authenticator=snowflake_jwt&token=<jwt_token>. Unfortunately, this doesn't work, because the current implementation expects to derive the JWT token from the private key here. It also panics if the privateKey parameter isn't set, but that should yield a validation error instead...

It would be great to allow users to pass in a JWT token directly as an alternative to privateKey when authenticator=snowflake_jwt.

Example code

N/A

Error log

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1022b4e78]

goroutine 10 [running]:
crypto/rsa.(*PrivateKey).Public(...)
        /usr/local/Cellar/go/1.19.2/libexec/src/crypto/rsa/rsa.go:113
github.com/snowflakedb/gosnowflake.prepareJWTToken(0xc000fd6820)
        /Users/ntodor/Projects/go/pkg/mod/github.com/snowflakedb/[email protected]/auth.go:391 +0x38
github.com/snowflakedb/gosnowflake.authenticate({0x103935508, 0xc000196010}, 0xc000bee3c0, {0x0, 0x0, 0x10cb5b608?}, {0x0, 0x0, 0x103937d48?})
        /Users/ntodor/Projects/go/pkg/mod/github.com/snowflakedb/[email protected]/auth.go:308 +0x8f4
github.com/snowflakedb/gosnowflake.authenticateWithConfig(0xc000bee3c0)
        /Users/ntodor/Projects/go/pkg/mod/github.com/snowflakedb/[email protected]/auth.go:453 +0x345
github.com/snowflakedb/gosnowflake.SnowflakeDriver.OpenWithConfig({}, {_, _}, {{0xc0007d0018, 0x9}, {0xc000f0e018, 0x15}, {0x0, 0x0}, {0xc0007d0049, ...}, ...})
        /Users/ntodor/Projects/go/pkg/mod/github.com/snowflakedb/[email protected]/driver.go:40 +0x105
github.com/snowflakedb/gosnowflake.SnowflakeDriver.Open({}, {0xc0007d0000, 0x327})
        /Users/ntodor/Projects/go/pkg/mod/github.com/snowflakedb/[email protected]/driver.go:23 +0x133
database/sql.dsnConnector.Connect(...)
        /usr/local/Cellar/go/1.19.2/libexec/src/database/sql/sql.go:759
database/sql.(*DB).conn(0xc000560820, {0x103935508, 0xc000196008}, 0x1)
        /usr/local/Cellar/go/1.19.2/libexec/src/database/sql/sql.go:1393 +0x763
database/sql.(*DB).query(0x102b99360?, {0x103935508, 0xc000196008}, {0xc000bda2a0, 0x29}, {0x0, 0x0, 0x0}, 0x0?)
        /usr/local/Cellar/go/1.19.2/libexec/src/database/sql/sql.go:1730 +0x5d
database/sql.(*DB).QueryContext(0x0?, {0x103935508, 0xc000196008}, {0xc000bda2a0, 0x29}, {0x0, 0x0, 0x0})
        /usr/local/Cellar/go/1.19.2/libexec/src/database/sql/sql.go:1708 +0xda
database/sql.(*DB).Query(0xc0002328c0?, {0xc000bda2a0?, 0x10ccc81f8?}, {0x0?, 0x0?, 0x0?})
        /usr/local/Cellar/go/1.19.2/libexec/src/database/sql/sql.go:1726 +0x45

Configuration

Driver version (or git SHA): v1.6.13

Go version: go1.19.2 darwin/amd64

Server version: 6.32.3

Client OS: OSX Monterey 12.6

@github-actions github-actions bot changed the title Support JWT authentication by passing in a valid JWT token directly in the DSN SNOW-675319: Support JWT authentication by passing in a valid JWT token directly in the DSN Oct 10, 2022
@sfc-gh-dszmolka
Copy link
Contributor

thank you for raising this enhancement request with us - we'll consider adding the capability, but i cannot commit to any estimated timelines. thank you for bearing with us !

@sfc-gh-dszmolka sfc-gh-dszmolka added the enhancement The issue is a request for improvement or a new feature label Mar 28, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage_done Initial triage done, will be further handled by the driver team label Mar 12, 2024
@asarama
Copy link

asarama commented Jan 23, 2025

+1

Would love this feature as well...

@sfc-gh-pfus
Copy link
Collaborator

Hi guys. I feel your need, I see why it is important to you. Snowflake has big plans related to auth mechanisms to be delivered later this year. One of them is PAT (personal access token). Maybe this would be a good alternative? CC Thanks @sfc-gh-dheyman for suggestion!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is a request for improvement or a new feature status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Development

No branches or pull requests

6 participants