SNOW-2112179 token caching is disabled for Client Credentials OAuth flow (#2417)

sfc-gh-mmishchenko · web-flow · commit dee074cc0ecd · 2025-07-22T18:04:03.000+02:00
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -9,6 +9,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 # Release Notes
 - v3.16.1(TBD)
   - Added in-band OCSP exception telemetry.
+  - Disabled token caching for OAuth Client Credentials authentication
   - Added in-band HTTP exception telemetry.
   - Fixed a bug where timezoned timestamps fetched as pandas.DataFrame or pyarrow.Table would overflow for the sake of unnecessary precision. In the case where an overflow cannot be prevented a clear error will be raised now.
 
diff --git a/src/snowflake/connector/auth/oauth_credentials.py b/src/snowflake/connector/auth/oauth_credentials.py
@@ -8,7 +8,6 @@
 from typing import TYPE_CHECKING, Any
 
 from ..constants import OAUTH_TYPE_CLIENT_CREDENTIALS
-from ..token_cache import TokenCache
 from ._oauth_base import AuthByOAuthBase
 
 if TYPE_CHECKING:
@@ -27,8 +26,6 @@ def __init__(
         client_secret: str,
         token_request_url: str,
         scope: str,
-        token_cache: TokenCache | None = None,
-        refresh_token_enabled: bool = False,
         connection: SnowflakeConnection | None = None,
         **kwargs,
     ) -> None:
@@ -38,8 +35,8 @@ def __init__(
             client_secret=client_secret,
             token_request_url=token_request_url,
             scope=scope,
-            token_cache=token_cache,
-            refresh_token_enabled=refresh_token_enabled,
+            token_cache=None,
+            refresh_token_enabled=False,
             **kwargs,
         )
         self._application = application
diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -1264,12 +1264,6 @@ def __open_connection(self):
                         host=self.host, port=self.port
                     ),
                     scope=self._oauth_scope,
-                    token_cache=(
-                        auth.get_token_cache()
-                        if self._client_store_temporary_credential
-                        else None
-                    ),
-                    refresh_token_enabled=self._oauth_enable_refresh_tokens,
                     connection=self,
                 )
             elif self._authenticator == USR_PWD_MFA_AUTHENTICATOR:
diff --git a/test/unit/test_oauth_token.py b/test/unit/test_oauth_token.py
@@ -560,6 +560,7 @@ def test_client_creds_successful_flow(
     wiremock_oauth_client_creds_dir,
     wiremock_generic_mappings_dir,
     monkeypatch,
+    temp_cache,
 ) -> None:
     wiremock_client.import_mapping(
         wiremock_oauth_client_creds_dir / "successful_flow.json"
@@ -570,6 +571,15 @@ def test_client_creds_successful_flow(
     wiremock_client.add_mapping(
         wiremock_generic_mappings_dir / "snowflake_disconnect_successful.json"
     )
+    user = "testUser"
+    access_token_key = TokenKey(
+        user, wiremock_client.wiremock_host, TokenType.OAUTH_ACCESS_TOKEN
+    )
+    refresh_token_key = TokenKey(
+        user, wiremock_client.wiremock_host, TokenType.OAUTH_REFRESH_TOKEN
+    )
+    temp_cache.store(access_token_key, "unused-access-token-123")
+    temp_cache.store(refresh_token_key, "unused-refresh-token-123")
     with mock.patch("secrets.token_urlsafe", return_value="abc123"):
         cnx = snowflake.connector.connect(
             user="testUser",
@@ -582,10 +592,17 @@ def test_client_creds_successful_flow(
             oauth_token_request_url=f"http://{wiremock_client.wiremock_host}:{wiremock_client.wiremock_http_port}/oauth/token-request",
             host=wiremock_client.wiremock_host,
             port=wiremock_client.wiremock_http_port,
+            oauth_enable_refresh_tokens=True,
+            client_store_temporary_credential=True,
         )
 
         assert cnx, "invalid cnx"
         cnx.close()
+    # cached tokens are expected not to change since Client Credenials must not use token cache
+    cached_access_token = temp_cache.retrieve(access_token_key)
+    cached_refresh_token = temp_cache.retrieve(refresh_token_key)
+    assert cached_access_token == "unused-access-token-123"
+    assert cached_refresh_token == "unused-refresh-token-123"
 
 
 @pytest.mark.skipolddriver
@@ -626,58 +643,6 @@ def test_client_creds_token_request_error(
         )
 
 
-@pytest.mark.skipolddriver
-def test_client_creds_successful_refresh_token_flow(
-    wiremock_client: WiremockClient,
-    wiremock_oauth_refresh_token_dir,
-    wiremock_generic_mappings_dir,
-    monkeypatch,
-    temp_cache,
-) -> None:
-    wiremock_client.import_mapping(
-        wiremock_generic_mappings_dir / "snowflake_login_failed.json"
-    )
-    wiremock_client.add_mapping(
-        wiremock_oauth_refresh_token_dir / "refresh_successful.json"
-    )
-    wiremock_client.add_mapping(
-        wiremock_generic_mappings_dir / "snowflake_login_successful.json"
-    )
-    wiremock_client.add_mapping(
-        wiremock_generic_mappings_dir / "snowflake_disconnect_successful.json"
-    )
-    user = "testUser"
-    access_token_key = TokenKey(
-        user, wiremock_client.wiremock_host, TokenType.OAUTH_ACCESS_TOKEN
-    )
-    refresh_token_key = TokenKey(
-        user, wiremock_client.wiremock_host, TokenType.OAUTH_REFRESH_TOKEN
-    )
-    temp_cache.store(access_token_key, "expired-access-token-123")
-    temp_cache.store(refresh_token_key, "refresh-token-123")
-    cnx = snowflake.connector.connect(
-        user=user,
-        authenticator="OAUTH_CLIENT_CREDENTIALS",
-        oauth_client_id="123",
-        account="testAccount",
-        protocol="http",
-        role="ANALYST",
-        oauth_client_secret="testClientSecret",
-        oauth_token_request_url=f"http://{wiremock_client.wiremock_host}:{wiremock_client.wiremock_http_port}/oauth/token-request",
-        host=wiremock_client.wiremock_host,
-        port=wiremock_client.wiremock_http_port,
-        oauth_enable_refresh_tokens=True,
-        client_store_temporary_credential=True,
-    )
-    assert cnx, "invalid cnx"
-    cnx.close()
-
-    new_access_token = temp_cache.retrieve(access_token_key)
-    new_refresh_token = temp_cache.retrieve(refresh_token_key)
-    assert new_access_token == "access-token-123"
-    assert new_refresh_token == "refresh-token-123"
-
-
 @pytest.mark.skipolddriver
 def test_client_creds_expired_refresh_token_flow(
     wiremock_client: WiremockClient,
@@ -729,8 +694,8 @@ def test_client_creds_expired_refresh_token_flow(
     )
     assert cnx, "invalid cnx"
     cnx.close()
-
-    new_access_token = temp_cache.retrieve(access_token_key)
-    new_refresh_token = temp_cache.retrieve(refresh_token_key)
-    assert new_access_token == "access-token-123"
-    assert new_refresh_token == "refresh-token-123"
+    # the cache state is expected not to change, since Client Credentials must not use token caching
+    cached_access_token = temp_cache.retrieve(access_token_key)
+    cached_refresh_token = temp_cache.retrieve(refresh_token_key)
+    assert cached_access_token == "expired-access-token-123"
+    assert cached_refresh_token == "expired-refresh-token-123"
