bmanan7 opened a new issue, #58815: URL: https://github.com/apache/airflow/issues/58815
### Description ### Feature Description (Required) Extend `SnowflakeHook.get_oauth_token` so that connections using the `client_credentials` grant can optionally provide an OAuth scope. The value should come from a new connection-extra field (for example `oauth_scope`) and be included in the POST body when requesting the token. Existing behavior stays unchanged if no scope is supplied. ### Root Problem Many identity providers including Okta require/ recommends a scope for client-credentials exchanges. The current hook sends only `grant_type` (and defaults to no scopes), so customers must either override the hook in their deployments or weaken their IdP policies. ### User Impact (Required) Without this option, users can’t complete the OAuth handshake with providers that mandate scopes. Connections fail with access_denied errors, forcing teams to ship custom patches or abandon client-credentials altogether. ### Acceptance Criteria A connection extra (e.g., oauth_scope) is documented and honored for Snowflake OAuth. When the extra is present, get_oauth_token includes scope=<value> in the token request. Leaving the field empty preserves today’s behavior. Unit tests cover the scope-enabled branch and the default path. ### Docs Info Needed Update the Snowflake connection how-to to list the new extra and explain when to use it. ### User stories _No response_ ### Additional Notes Snowflake's OAuth [docs](https://docs.snowflake.com/en/user-guide/oauth-ext-overview#scopes) allow scope in client-credentials, and IdPs like Okta enforce/ requires it most of the times. This mirrors the existing Azure pattern (azure_oauth_scope → sent as scope). ### Use case/motivation Many customer IdPs (e.g., Okta, Auth0) are commonly configured to require a scope for client-credentials flows. While not always mandatory, this is a typical security setup. Because SnowflakeHook.get_oauth_token can’t currently include a scope, these configurations cause token requests to fail, forcing users to apply custom patches or relax IdP settings. Supporting an optional scope field allows the hook to work with these standard enterprise configurations without workarounds. ### Related issues _No response_ ### Are you willing to submit a PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
