Metabase Snowflake authenticator to Okta - Has anyone successfully got this working?

cabarria · October 31, 2022, 3:23pm

I've been trying to connect to Snowflake using okta by adding the authenticator property to advanced properties, but keep getting the following error:
2022-10-28 16:08:17,633 ERROR api.database :: Cannot connect to Database
clojure.lang.ExceptionInfo: Bad request; operation not supported. {:message "Bad request; operation not supported."}

Everything works fine with SQL Workbench using the same driver, properties, and account. Has anyone been able to get Metabase connected to Snowflake with Okta?

I'm using openjdk 11 and have a single entry in the advanced properties. Additional spaces have been added to all URLs on this post to get through the maximum number of links allowed.
authenticator=https://mycomp .okta.com

Here is the error in the log files:
2022-10-28 16:11:10,132 DEBUG jdbc.DefaultSFConnectionHandler :: Trying to establish session, JDBC driver version: 3.13.21
2022-10-28 16:11:10,135 DEBUG core.SFSession :: input: server=https : // mycomp .us-east-1 .snowflakecomputing .com/, account=mycomp .us-east-1, user=first .last @ mycomp .com, password=, role=, database=MY_DATABASE, schema=, warehouse=MY_WAREHOUSE, validate_default_parameters=null, authenticator=https : // mycomp .okta .com/, ocsp_mode=FAIL_OPEN, passcode_in_password=null, passcode= * private_key=(null), disable_socks_proxy=null, application=null, app_id=JDBC, app_version=3.13.21, login_timeout=null, network_timeout=null, query_timeout=null, tracing=null, private_key_file=null, private_key_file_pwd=**** session_parameters: client_store_temporary_credential=null
2022-10-28 16:11:10,135 DEBUG core.SFBaseSession :: http.useProxy={}. JVM proxy not used.
2022-10-28 16:11:10,136 DEBUG core.SFSession :: connection proxy parameters: use_proxy=false, proxy_host=, proxy_port=0, proxy_user=, proxy_password=**** non_proxy_hosts=, proxy_protocol=http
2022-10-28 16:11:10,137 DEBUG core.HttpUtil :: Pool: [leased: 0; pending: 0; available: 1; max: 300] Executing: POST https : // mycomp .us-east-1 .snowflakecomputing .com/session/authenticator-request HTTP/1.1
2022-10-28 16:11:10,138 DEBUG jdbc.RestRequest :: Retry count: 0
2022-10-28 16:11:10,168 DEBUG jdbc.RestRequest :: HTTP response code: 200
2022-10-28 16:11:10,168 DEBUG core.HttpUtil :: Pool: [leased: 0; pending: 0; available: 1; max: 300] Request returned for: POST https : // mycomp .us-east-1 .snowflakecomputing .com/session/authenticator-request HTTP/1.1
2022-10-28 16:11:10,169 DEBUG core.SessionUtil :: authenticator-request response: {
"data" : null,
"code" : "390400",
"message" : "Bad request; operation not supported.",
"success" : false,
"headers" : null
}
2022-10-28 16:11:10,170 DEBUG core.SessionUtil :: response = {
"data" : null,
"code" : "390400",
"message" : "Bad request; operation not supported.",
"success" : false,
"headers" : null
}
2022-10-28 16:11:10,170 DEBUG jdbc.SnowflakeSQLException :: Snowflake exception: Bad request; operation not supported., sqlState:08001, vendorCode:390,400, queryId:
2022-10-28 16:11:10,174 ERROR driver.snowflake :: (type message)
=> java.lang.String
2022-10-28 16:11:10,175 ERROR api.database :: Cannot connect to Database
clojure.lang.ExceptionInfo: Bad request; operation not supported. {:message "Bad request; operation not supported."}

Here is the metabase diagnostic info:
{
"browser-info": {
"language": "en-US",
"platform": "Win32",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52",
"vendor": "Google Inc."
},
"system-info": {
"file.encoding": "Cp1252",
"java.runtime.name": "OpenJDK Runtime Environment",
"java.runtime.version": "11.0.16.1+1-LTS",
"java.vendor": "Microsoft",
"java.vendor.url": "https : // www .microsoft .com/",
"java.version": "11.0.16.1",
"java.vm.name": "OpenJDK 64-Bit Server VM",
"java.vm.version": "11.0.16.1+1-LTS",
"os.name": "Windows 10",
"os.version": "10.0",
"user.language": "en",
"user.timezone": "America/New_York"
},
"metabase-info": {
"databases": [
"h2"
],
"hosting-env": "unknown",
"application-database": "h2",
"application-database-details": {
"database": {
"name": "H2",
"version": "1.4.197 (2018-03-18)"
},
"jdbc-driver": {
"name": "H2 JDBC Driver",
"version": "1.4.197 (2018-03-18)"
}
},
"run-mode": "prod",
"version": {
"date": "2022-10-17",
"tag": "v0.44.5",
"branch": "release-x.44.x",
"hash": "29fab4d"
},
"settings": {
"report-timezone": null
}
}
}

flamber · October 31, 2022, 4:02pm

Hi @cabarria
I have never seen anyone using this method of authentication, but the error code returned by Snowflake seems odd: https://stackoverflow.com/questions/60177963/how-can-you-connect-snowflake-to-an-ide-using-okta-with-mfa
It is going to be difficult to debug something like this, since it requires both Okta and Snowflake and a fully setup integration between those.

cabarria · November 1, 2022, 7:29pm

I've run both SQLWorkbench and Metabase with tracing and debug enabled for the snowflake driver. Here is a difference between the two initiating connections. Notice how the account property for workbench is just "mycomp" while in Metabase it is "mycomp.us-east-1"

Metabase (Fails)

SQLWorkbench (Works)

Here is a link to the full logs:(Error)[Log Files]

flamber · November 2, 2022, 9:19am

@cabarria Great debugging.

Snowflake is really not making it easy for themselves, since the account identifier stuff is the biggest problem most people are having, when trying to connect.
https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#non-vps-account-locator-formats-by-cloud-platform-and-region

So Metabase needs to also send the account to the driver, but without the region (and possibly organization?) ? So we need to regex on the account identifier. Wonder if that would cause problems for existing connections not using authenticator.

cabarria · November 4, 2022, 3:59pm

I've confirmed with Snowflake support that the issue is the parameter we are passing to the account. Can you re-open the bug report so I can update it with this information?

Metabase-Snowflake Fails to Connect when using the authenticator=https://mycomp.okta.com in the advanced options · Issue #26155 · metabase/metabase (github.com)

flamber · November 4, 2022, 5:41pm

@cabarria I would recommend creating a new issue, since you have now the root cause of the problem. It makes it a lot easier for developers to read clearly described issues with what needs to be changed.

cabarria · November 7, 2022, 3:50pm

Done. Here is the new issue: Metabase-Snowflake incorrect parameter for account when using authenticator in advanced options - Fails to Connect · Issue #26272 · metabase/metabase (github.com)