SNOW-2466332: Do not require user when using OAuth flow (#2606)

sfc-gh-jwilkowski · web-flow · commit db2a10fa886b · 2025-10-29T14:39:38.000+01:00
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -13,6 +13,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
   - Fix compilation error when building from sources with libc++.
   - Pin lower versions of dependencies to oldest version without vulnerabilities.
   - Added no_proxy parameter for proxy configuration without using environmental variables.
+  - Added OAUTH_AUTHORIZATION_CODE and OAUTH_CLIENT_CREDENTIALS to list of authenticators that don't require user to be set
 
 - v4.0.0(October 09,2025)
   - Added support for checking certificates revocation using revocation lists (CRLs)
diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -1694,6 +1694,8 @@ def __config(self, **kwargs):
             WORKLOAD_IDENTITY_AUTHENTICATOR,
             PROGRAMMATIC_ACCESS_TOKEN,
             PAT_WITH_EXTERNAL_SESSION,
+            OAUTH_AUTHORIZATION_CODE,
+            OAUTH_CLIENT_CREDENTIALS,
         }
 
         if not (self._master_token and self._session_token):
diff --git a/test/unit/test_auth_oauth_auth_code.py b/test/unit/test_auth_oauth_auth_code.py
@@ -285,3 +285,46 @@ def mock_request_tokens(self, **kwargs):
     assert isinstance(conn.auth_class, AuthByOauthCode)
 
     conn.close()
+
+
+@pytest.mark.skipolddriver
+def test_oauth_authorization_code_allows_empty_user(monkeypatch, omit_oauth_urls_check):
+    """Test that OAUTH_AUTHORIZATION_CODE authenticator allows connection without user parameter."""
+    import snowflake.connector
+
+    def mock_post_request(self, url, headers, json_body, **kwargs):
+        return {
+            "success": True,
+            "message": None,
+            "data": {
+                "token": "TOKEN",
+                "masterToken": "MASTER_TOKEN",
+                "idToken": None,
+                "parameters": [{"name": "SERVICE_NAME", "value": "FAKE_SERVICE_NAME"}],
+            },
+        }
+
+    monkeypatch.setattr(
+        snowflake.connector.network.SnowflakeRestful, "_post_request", mock_post_request
+    )
+
+    # Mock the OAuth authorization flow to avoid opening browser and starting HTTP server
+    def mock_request_tokens(self, **kwargs):
+        # Simulate successful token retrieval
+        return ("mock_access_token", "mock_refresh_token")
+
+    monkeypatch.setattr(AuthByOauthCode, "_request_tokens", mock_request_tokens)
+
+    # Test connection without user parameter - should succeed
+    conn = snowflake.connector.connect(
+        account="testaccount",
+        authenticator="OAUTH_AUTHORIZATION_CODE",
+        oauth_client_id="test_client_id",
+        oauth_client_secret="test_client_secret",
+    )
+
+    # Verify that the connection was successful
+    assert conn is not None
+    assert isinstance(conn.auth_class, AuthByOauthCode)
+
+    conn.close()
diff --git a/test/unit/test_auth_oauth_credentials.py b/test/unit/test_auth_oauth_credentials.py
@@ -137,6 +137,53 @@ def mock_get_request_token_response(self, connection, fields):
     conn.close()
 
 
+@pytest.mark.skipolddriver
+def test_oauth_client_credentials_allows_empty_user(monkeypatch):
+    """Test that OAUTH_CLIENT_CREDENTIALS authenticator allows connection without user parameter."""
+    import snowflake.connector
+
+    def mock_post_request(request, url, headers, json_body, **kwargs):
+        return {
+            "success": True,
+            "message": None,
+            "data": {
+                "token": "TOKEN",
+                "masterToken": "MASTER_TOKEN",
+                "idToken": None,
+                "parameters": [{"name": "SERVICE_NAME", "value": "FAKE_SERVICE_NAME"}],
+            },
+        }
+
+    monkeypatch.setattr(
+        "snowflake.connector.network.SnowflakeRestful._post_request",
+        mock_post_request,
+    )
+
+    # Mock the OAuth client credentials token request to avoid making HTTP requests
+    def mock_get_request_token_response(self, connection, fields):
+        return ("mocked_token_response", None)
+
+    monkeypatch.setattr(
+        AuthByOauthCredentials,
+        "_get_request_token_response",
+        mock_get_request_token_response,
+    )
+
+    # Test connection without user parameter - should succeed
+    conn = snowflake.connector.connect(
+        account="testaccount",
+        authenticator="OAUTH_CLIENT_CREDENTIALS",
+        oauth_client_id="test_client_id",
+        oauth_client_secret="test_client_secret",
+    )
+
+    # Verify that the connection was successful
+    assert conn is not None
+    assert isinstance(conn.auth_class, AuthByOauthCredentials)
+
+    conn.close()
+
+
 def test_oauth_credentials_missing_client_id_raises_error():
     """Test that missing client_id raises a ProgrammingError."""
     with pytest.raises(ProgrammingError) as excinfo:

Original file line number	Diff line number	Diff line change
`@@ -1694,6 +1694,8 @@ def __config(self, **kwargs):`
`1694`	`1694`	`WORKLOAD_IDENTITY_AUTHENTICATOR,`
`1695`	`1695`	`PROGRAMMATIC_ACCESS_TOKEN,`
`1696`	`1696`	`PAT_WITH_EXTERNAL_SESSION,`
	`1697`	`+ OAUTH_AUTHORIZATION_CODE,`
	`1698`	`+ OAUTH_CLIENT_CREDENTIALS,`
`1697`	`1699`	`}`
`1698`	`1700`
`1699`	`1701`	`if not (self._master_token and self._session_token):`