Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Okta Authenticator does not support Okta MFA #140

Closed
adrianisk opened this issue Dec 13, 2018 · 5 comments
Closed

Okta Authenticator does not support Okta MFA #140

adrianisk opened this issue Dec 13, 2018 · 5 comments
Labels
question

Comments

@adrianisk
Copy link

I'm unable to use the snowflake python connector when using the Okta url authenticator because my organization has MFA turned on for Okta. Stepping through the auth_okta.py code, when grabbing the one time token in method _step3, the code fails to check the return's status, which is set to 'MFA_REQUIRED'. Judging from https://developer.okta.com/docs/sdk/core/python_api_sdk/api/clients/AuthClient there's an addition flow that needs to be completed when MFA is turned on.
@smtakeda
Copy link
Contributor

OKTA+MFA is not supported by the okta authenticator, but authenticator=externalbrowser is the option. Alternatively upcoming oAuth support needs to be used.

@adrianisk
Copy link
Author

Thanks for the quick response! I'm trying to add snowflake SSO support to a tool I use, but the problem is that the tool creates a new Snowflake connector for each model it runs which isn't something I can easily change. This means when I run it, I end up with 10-20 browser windows opened... I was doing a little more reading, and noticed the PARAMETER_CLIENT_STORE_TEMPORARY_CREDENTIAL parameter is set to True when using external browser, but when I authenticate through the browser the 'idToken' of the response is null so nothing gets stored in the temp credentials file. I'm a bit out of my element here - is the temporary credential storage supported for external browser authentication through Okta? I followed the setup instructions for Okta at https://docs.snowflake.net/manuals/user-guide/admin-security-fed-auth-configure-idp.html#okta-setup, but I might have something misconfigured on the Okta side of things? Thanks for your help!

@smtakeda
Copy link
Contributor

@adriank-convoy please reach out the Snowflake support to enable the id token cache feature. It is still private preview but it will reduce the number of browser popups by caching the token.

@cmcarthur cmcarthur mentioned this issue Dec 13, 2018
Closed
@adrianisk
Copy link
Author

I opened a ticket this morning, thanks!

@adrianisk adrianisk mentioned this issue Mar 18, 2019
Closed
@dmateusp
Copy link

dmateusp commented Jul 2, 2020

We are using DBT CLI, and asked Snowflake support to enable the feature for us, I just wanted to add some info here:

  • Support told us that the feature is public now so running alter account set allow_id_token = true; should enable token caching (without having to contact them in the first place)
  • Note that in the current version of DBT (0.18.0b1), the snowflake connector version is 2.2.1. This version of the connector was not using token caching and we had to add snowflake-connector-python>=2.2.8 to our requirements.txt file to get the feature working

@bessey bessey mentioned this issue Jul 6, 2020
Merged
1 task
@michael-robbins michael-robbins mentioned this issue Apr 23, 2021
Closed
timostrunk pushed a commit to timostrunk/snowflake-connector-python that referenced this issue Dec 11, 2023
@hajapy
Merge pull request snowflakedb#140 from timostrunk/v3.1.0
b86bbd1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smtakeda @dmateusp @adrianisk