SNOW-1950477: Allow control over port used to return token when using authenticator='externalbrowser'

[ffineis]

What is the current behavior?

I'm an engineer on a data science team and I build tools for them to help them with common things like connect to snowflake. So that their development environments can match production inference environments, we have them running jupyter lab within a docker container - including snowflake-connector-python.

The preferred method of having my team establish connections to snowflake is with the authentication="externalbrowser" auth type:

import snowflake.connector
import getpass

connection = snowflake.connector.connect(
         account="org-id.us-west-2"
        , user=getpass.getuser()+'@my-org.com'
        , role='MY_ROLE'
        , warehouse="M_WH"
        , authenticator='externalbrowser'
)

This nicely renders a link that the user clicks, it pops open a browser window, then Snowflake recognizes the user is logged in with SSO (Okta is our IdP in our case), and either Snowflake (or Okta) respond back with a token to the url localhost:port?token=XXX.

The problem I'm having is that since we're doing this all in docker, the token is sent to my host's localhost, not the true localhost running the process doing the Snowflake authentication, which causes an error (localhost refused to connect.). That port that the token is sent to is completely random (anything between 30000 - 60000 from a handful of attempts), so I can't establish port forwarding. You can use a port range, but using such a large port range causes lots of problems (incl port conflicts between other important ports) and it otherwise causes Docker to crash. I'm not on a linux host, so I can't use Docker's --network host flag either.

This might not even be something the Snowflake connector controls, it might be something configured on the IdP's side. I thought it was worth a shot, because I figured the Snowflake connector itself must be aware of the port that it should listen for the token on. It'd be great to be able to provide the port to send the SSO token back on so that users can port forward and receive the token - this would allow users to use externalbrowser auth from Docker.

What is the desired behavior?

It'd be great to be able to provide the port to send the SSO token back on so that users can port forward and receive the token, like this:

import snowflake.connector
import getpass

connection = snowflake.connector.connect(
         account="org-id.us-west-2"
        , user=getpass.getuser()+'@my-org.com'
        , role='MY_ROLE'
        , warehouse="M_WH"
        , authenticator='externalbrowser'
        , sso_port=45000  # proposing this arg
)

How would this improve snowflake-connector-python?

This would allow users to use externalbrowser auth from Docker.

References and other background

No response

[ffineis]

Oh is this what SF_AUTH_SOCKET_PORT and SF_AUTH_SOCKET_REUSEPORT do? Awesome. Really difficult to find this!

[ffineis]

It kind of works, I still get This page isn’t working localhost didn’t send any data. but the connection is established after copy/pasting the localhost: SF_AUTH_SOCKET_PORT/?token=... url into the input box.