Vishalup29 opened a new pull request, #58863:
URL: https://github.com/apache/airflow/pull/58863
## Description
This PR adds support for passing an optional OAuth `scope` parameter when
using the
`client_credentials` grant type in `SnowflakeHook.get_oauth_token`.
Many identity providers (Okta, Auth0, Azure AD, corporate IdPs) require or
recommend including a scope
in client-credential OAuth exchanges. Currently, Airflow cannot send a scope
value, forcing users to
apply custom patches or weaken their IdP requirements.
This PR introduces an optional extra field on the Snowflake connection:
extra: {"oauth_scope": "your-scope-value"}
less
Copy code
When present and the `grant_type` is `client_credentials`, the hook will
send:
scope=<value>
markdown
Copy code
in the POST body to the token endpoint.
If no scope is provided, the existing behavior is unchanged.
## Tests
This PR updates the OAuth unit tests to validate:
- Scope is not included for refresh token grant (existing behavior unchanged)
- Scope *is* included when:
- `grant_type=client_credentials`
- `oauth_scope` is provided
- Scope is omitted when the field is empty or not provided
- Existing OAuth tests continue to pass untouched
## Cross-provider compatibility
This matches patterns already used in Azure OAuth (`azure_oauth_scope`).
## Related Issue
Closes #58815
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
