Introduce api-key to SPCS requests using the X-RSC-Authorization header #715
+32
−18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit is mainly meant as an example to complement changes in how we will be performing authentication within the Snowflake Posit Team Native Application. When / if that PR of work for OIDC goes through this will serve as a good example of how it can be supported. I think this PR also highlights the importance of OIDC device flow authentication which is supported in PPM https://packagemanager.rstudio.com/__docs__/admin/appendix//cli/rspm_login_sso.html which would again eliminate the need for an api key. I REALLY like how this package uses the snow command to generate the jwt used for snowflake ingress as this means our Posit libraries don't have to re-implement the snowflake authentication. Going to put this PR in draft and will contribute more after I share this with our team tomorrow at Standup.
This commit refines the Snowflake SPCS (Snowpark Container Services) OIDC authentication implementation to better align with existing codebase patterns and improve type safety. Changes: - Make SPCSConnectServer.api_key Optional[str] to match RSConnectServer - Add comprehensive docstring to SPCSConnectServer class explaining SPCS deployment and authentication approach - Reorder RSConnectExecutor server type detection to check for snowflake_connection_name first, as SPCS is more specific than generic Connect deployment - Ensure api_key is passed to SPCSConnectServer in all instantiations (RSConnectExecutor.__init__ and validate_spcs_server) - Add null check before setting X-RSC-Authorization header to fix type checking error - Update all test cases in SPCSConnectServerTestCase to pass api_key parameter and verify it's set correctly All SPCS-specific tests pass. The implementation now follows the established patterns for server authentication while maintaining backward compatibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Add changelog entry documenting the fix for Snowflake SPCS authentication to properly handle API keys and align with codebase patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
|
Im guessing that the failed tests are due to permissions. I tried to create a branch on the repo but didn't work so I created a fork. |
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
Snowflake SPCS deployments with OIDC now require both a Snowflake connection name and a Connect API key for authentication. This change updates the credential validation logic and account authentication type detection to support this new requirement. Changes: - credentials.go: Updated validation to require both SnowflakeConnection and ApiKey for ServerTypeSnowflake credentials - account.go: Modified AuthType() to prioritize Snowflake connection detection since it's the most specific case, and added documentation about the dual authentication requirement This aligns with changes in Snowflake SPCS where proxied authentication headers no longer carry sufficient user identification information, necessitating the use of Connect API keys in addition to Snowflake tokens. Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
Implements the authentication mechanism for Snowflake SPCS with OIDC support
by sending both Snowflake tokens and Connect API keys in separate headers.
Changes:
- snowflake.go:
- Added apiKey field to snowflakeAuthenticator struct
- Updated NewSnowflakeAuthenticator to accept apiKey parameter
- Modified AddAuthHeaders to set both Authorization (Snowflake token) and
X-RSC-Authorization (Connect API key) headers
- Enhanced documentation to explain the dual-header OIDC authentication
- auth.go:
- Updated NewClientAuth to pass the API key when creating Snowflake
authenticators
The Authorization header contains the Snowflake token for proxied authentication,
while the X-RSC-Authorization header contains the Connect API key for OIDC
authentication. This dual-header approach ensures proper authentication with
Connect servers deployed in Snowflake SPCS.
Related: posit-dev/rsconnect-python#715
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
Updates all tests to reflect the new dual-credential requirement for Snowflake
SPCS authentication with OIDC support.
Changes:
- snowflake_test.go:
- Updated all NewSnowflakeAuthenticator calls to include API key parameter
- Added assertions to verify API key is properly stored in authenticator
- Enhanced TestAddAuthHeaders to verify both Authorization and
X-RSC-Authorization headers are set correctly
- Added test case for authenticator without API key to ensure the header
is only set when an API key is provided
- file_test.go & keyring_test.go:
- Updated Snowflake credential creation tests to include API key
- Changed expected API key assertions from empty string to test API key
All tests pass, confirming that the OIDC authentication changes work correctly
while maintaining backward compatibility.
Related: posit-dev/rsconnect-python#715
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
… extension Adds a new input step in the VSCode extension credential creation flow to prompt users for a Connect API key when creating Snowflake SPCS credentials. Changes: - Added INPUT_SNOWFLAKE_API_KEY step to the credential creation flow - Implemented inputSnowflakeAPIKey() function that: - Prompts users for the Connect API key with password masking - Validates API key syntax using existing validation logic - Provides clear messaging about OIDC authentication requirements - Updated isValidSnowflakeAuth() to require both snowflakeConnection and apiKey - Modified inputSnowflakeConnection() to navigate to the API key input step before proceeding to credential naming The new flow for Snowflake SPCS credentials is: 1. Enter server URL 2. Select Snowflake connection 3. Enter Connect API key (NEW) 4. Name the credential This ensures users provide both authentication components needed for Snowflake SPCS deployments with OIDC authentication. Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
Documents the Snowflake SPCS OIDC authentication changes in both the main repository and VSCode extension changelogs. Changes: - Added entries to "Unreleased > Fixed" sections explaining that Snowflake SPCS authentication now requires both a Snowflake connection name and a Connect API key - Documented the dual-header authentication approach (Authorization for Snowflake token, X-RSC-Authorization for Connect API key) - Explained the reason for the change: proxied authentication headers in Snowflake SPCS no longer carry sufficient user identification information with the move to OIDC Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Open
7 tasks
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
… extension Adds a new input step in the VSCode extension credential creation flow to prompt users for a Connect API key when creating Snowflake SPCS credentials. Changes: - Added INPUT_SNOWFLAKE_API_KEY step to the credential creation flow - Implemented inputSnowflakeAPIKey() function that: - Prompts users for the Connect API key with password masking - Validates API key syntax using existing validation logic - Provides clear messaging about OIDC authentication requirements - Updated isValidSnowflakeAuth() to require both snowflakeConnection and apiKey - Modified inputSnowflakeConnection() to navigate to the API key input step before proceeding to credential naming The new flow for Snowflake SPCS credentials is: 1. Enter server URL 2. Select Snowflake connection 3. Enter Connect API key (NEW) 4. Name the credential This ensures users provide both authentication components needed for Snowflake SPCS deployments with OIDC authentication. Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
costrouc
added a commit
to costrouc/publisher
that referenced
this pull request
Oct 25, 2025
Documents the Snowflake SPCS OIDC authentication changes in both the main repository and VSCode extension changelogs. Changes: - Added entries to "Unreleased > Fixed" sections explaining that Snowflake SPCS authentication now requires both a Snowflake connection name and a Connect API key - Documented the dual-header authentication approach (Authorization for Snowflake token, X-RSC-Authorization for Connect API key) - Explained the reason for the change: proxied authentication headers in Snowflake SPCS no longer carry sufficient user identification information with the move to OIDC Related: posit-dev/rsconnect-python#715 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intent
Prior to recent changes on the Snowflake side, proxied authentication headers carried enough information for Connect running in Snowflake SPCS to identify users. With the move to OIDC, Connect servers no longer trust Snowflake headers for username identification. This requires users to provide both a Snowflake connection (for proxied authentication) and a Connect API key (for OIDC authentication).
This commit is how we will be performing authentication within the Snowflake Posit Team Native Application. This will serve as a good example of how it can be supported in the rsconnect* packages. Posit Connect supports alternate headers for authorization https://docs.posit.co/connect/admin/authentication/proxied/#api-use.
I think this PR also highlights the importance of OIDC device flow authentication which is supported in PPM
https://packagemanager.rstudio.com/__docs__/admin/appendix//cli/rspm_login_sso.html which would again eliminate the need for an api key which this PR reintroduces for SPCS.
Example
Type of Change
Approach
Automated Tests
Directions for Reviewers
Checklist