Search

How to Authenticate with Snowflake OAuth (Custom Client) in FME

Desiree Marsden
Desiree Marsden
  • Updated

Introduction

This guide walks you through setting up Snowflake OAuth for custom clients, where Snowflake acts as your OAuth authorization server, and FME securely connects as the OAuth client using the Authorization Code Grant Flow.

This authentication method is ideal when you want Snowflake itself to manage OAuth authentication, rather than using an external identity provider. It provides secure, token-based access to your Snowflake resources without requiring users to manage passwords directly in FME.

 

Before You Begin

This guide assumes you're comfortable with basic OAuth 2.0 concepts (Client ID, Client Secret, Redirect URI) and can navigate both FME and Snowflake interfaces. If you need a refresher on OAuth fundamentals, review the resources in the Additional Resources section at the end of this article.

Also, review Snowflake's OAuth documentation, particularly documentation for Configuring Snowflake OAuth for custom clients, and consider your organization's security policies before proceeding. Providing security recommendations is highly dependent on your enterprise/business needs and is therefore out of scope for this article.

 

Security Note

A quick note on security. This authentication method requires that the client secret be sent with the OAuth request, so it is worth noting that:

  • FME Flow is a Confidential/Private client, meaning it can securely store client secrets on the server
  • FME Form is considered a Native/Public client, though sensitive information from web services remains encrypted

If you’re curious about FME’s posture on security and current certifications, please see our Security page. 

 

Redirect Strategy and External Browser Authentication

FME Form 2025.2+ introduces external browser authentication, offering three redirect strategies:

  • Proxy Redirect (Safe Software): Uses a Safe-hosted redirect page: https://fmeauth.safe.com/v1/oauth2
  • Loopback Interface: Uses http://localhost to “point back” to your own machine 
    • Not guaranteed to work for every OAuth Service; in this case, Snowflake doesn’t support localhost redirect URIs, although it does support Loopback with other redirect URIs
  • Embedded Browser: Set for deprecation in future FME releases 
    • Please use one of the above options instead

This article uses Proxy Redirect, which is the recommended alternative if FME’s current Loopback Interface implementation does not work with your Authorization Server, like Snowflake

Note: For more information on the redirect strategies and the external browser, please see the article: External Browser Authentication in FME Form.

 

Requirements

  • FME 2025.2+
  • System default browser (Chrome, Edge, Firefox on Windows/Linux; Safari on macOS) - if using external browser authentication
  • FME Knowledge
    • Basic understanding of FME connections and parameters
  • Snowflake Knowledge
    • Worksheets, running SQL commands, and navigating Snowflake Site
    • Understanding of Snowflake roles and permissions
    • ACCOUNTADMIN role access (or equivalent permissions to create Security Integrations)
  • OAuth 2.0 Fundamentals
    • Understanding of Client ID, Client Secret, and Redirect URI concepts
    • Basic familiarity with authorization flows

Resources are available below covering a few of the requirements if you need a reminder on key concepts, including Web Connections in FME and Snowflake Basics.

 

Step-by-Step Instructions

This guide provides a practical, end-to-end example of setting up Snowflake OAuth authentication in FME. Here's what you'll accomplish:

  1. Create a custom OAuth client in Snowflake - Configure the security integration that FME will use
  2. Test the connection in FME Form - Verify your setup works with external browser authentication
  3. Upload a connection FME Flow - Transfer your database and web connection configurations, assuming you created a security integration for your Flow instance
  4. Update the redirect URI - Modify your redirect URI FME Flow's callback URL
  5. Verify in FME Flow - Authenticate, then confirm everything works in your Flow environment

The exact steps and configuration may vary from this example depending on your business requirements and security policies.

 

Part 1: Create Snowflake OAuth Security Integration

In this section, you'll create the Snowflake OAuth security integration that allows FME to act as a custom OAuth client. This is where you'll configure which roles FME users can access and how authentication will work.

The steps are outlined in more detail in Snowflake's documentation: CREATE SECURITY INTEGRATION (Snowflake OAuth) 

 

1. Connect to Snowflake and Create the Security Integration

In Snowflake, from the top left of the page, create a new SQL Worksheet:

  •  “+” →  Create 

This opens a Snowflake worksheet where you can execute SQL commands to create a Security Integration. Here's an example command to create the security integration:

CREATE SECURITY INTEGRATION 
  FME_OAUTH_INTEGRATION
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'PUBLIC'
  OAUTH_REDIRECT_URI = 'https://fmeauth.safe.com/v1/oauth2'
  ENABLED = TRUE
  PRE_AUTHORIZED_ROLES_LIST = ('DATA_ANALYST', 'DATA_ENGINEER')  
  COMMENT = 'FME OAuth integration with Proxy Redirect';


Some key parameters in this example include:

  • FME_OAUTH_INTEGRATION: A unique name for your security integration (you can change this to any other descriptive name)
  • TYPE = OAUTH: A required parameter to describe the type of authentication this integration is in Snowflake
  • OAUTH_CLIENT = CUSTOM: Required parameter to allow FME to connect as a custom OAuth client
  • OAUTH_CLIENT_TYPE = 'PUBLIC': The type of OAuth Client
    • For FME Form, keep this as ‘PUBLIC.’
    • Change this to ‘CONFIDENTIAL’ in FME Flow deployments where secrets can be securely stored server-side
  • OAUTH_REDIRECT_URI: Must exactly match what FME sends during authentication
    • For Proxy Redirect in Form: https://fmeauth.safe.com/v1/oauth2
    • For FME Flow: You'll update this later to your Flow-specific URL: https://<your-fme-flow-url>/fmeoauth
  • PRE_AUTHORIZED_ROLES_LIST: Defines which Snowflake roles users can access through this integration

For complete parameter documentation, see Snowflake’s guide: CREATE SECURITY INTEGRATION (Snowflake OAuth).

 

2. Retrieve OAuth Client Credentials

After creating the security integration, you need to retrieve the Custom Client details, like the Client ID that Snowflake generated. In a new worksheet, execute:

DESC SECURITY INTEGRATION FME_OAUTH_INTEGRATION;

Replace FME_OAUTH_INTEGRATION with your security integration name if necessary.

In the results, take note of the values of:

  • OAUTH_CLIENT_ID - This is the Client ID that you'll use in FME
  • Your Snowflake Account URL - This shows your account URL often in the form: https://<your-company>.snowflakecomputing.com
    • In OAUTH_AUTHORIZATION_ENDPOINT, the account URL is everything before /oauth/authorize in the Authorization Endpoint. 

You’ll also be able to confirm your Redirect URI under the property OAUTH_REDIRECT_URI.

 

3. Retrieve the Client Secret

Next, retrieve the Client Secret by executing:

SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('FME_OAUTH_INTEGRATION');

Replace FME_OAUTH_INTEGRATION with your security integration name.

You’ll receive two Client Secrets by default. Either value should work with FME. For this example, copy the value saved between the quotation marks for OAUTH_CLIENT_SECRET.

A second Client Secret is provided by Snowflake to allow for easy secret rotation. For more information, review Snowflake’s Control documentation.

Be sure to store this Client Secret securely. You'll need it to configure FME, and you won't be able to retrieve it again through the Snowflake UI (though you can regenerate a new one if needed).

At this point, you should have collected:

  • Client ID: The unique identifier from the DESC command
  • Client Secret: The confidential string from the SHOW_OAUTH_CLIENT_SECRETS command
  • Snowflake Account URL: Your account URL in the format https://<your-company>.snowflakecomputing.com
  • Redirect URI: Will be set automatically in FME based on your chosen redirect strategy

You're now ready to move on to Part 2 to configure the web service in FME Form.

 

Part 2: Configure Snowflake OAuth in FME Form

In this section, you'll create a web service in FME Form that stores your OAuth configuration, then create a database connection that uses this web service for authentication. 

If you need a deeper understanding of web services and web connections in FME, review the article: Creating an OAuth 2.0 Web Service and Connection in FME.

1. Open FME Workbench and Navigate to Manage Services

In FME Workbench, navigate to:

  • Utilities → FME Options → Web Connections → Manage Services…

This opens the Manage Web Services dialog, where you can configure OAuth services

 

2. Add a Web Connection to Snowflake 

  • In the Manage Web Services dialog, click the "+" symbol → Create From → Snowflake OAuth

 

This creates a child (copy) web service based on the Snowflake OAuth template. Give your web service a descriptive name that reflects your specific integration, for example: SNOWFLAKE_FME_OAUTH_INTEGRATION

Use a naming convention that helps you identify this service later, especially if you'll have multiple Snowflake connections.

 

3. Configure the OAuth Web Service Parameters

Now you'll fill in the OAuth web service configuration using the credentials you retrieved from Snowflake. Parameters marked with a red asterisk are required. Here's how to configure each section:

  • Client Information
    • Client ID: Paste the Client ID from your Snowflake DESC SECURITY INTEGRATION command (Part 1, Step 2)
    • Client Secret: Paste the Client Secret from the SYSTEM$SHOW_OAUTH_CLIENT_SECRETS command (Part 1, Step 3)
    • Redirect Strategy: Select Proxy Redirect (recommended)
      • The Redirect URI field will automatically populate with https://fmeauth.safe.com/v1/oauth2
  • Authorization Parameters
    • URL: Enter your Snowflake Account URL: https://<your-company>.snowflakecomputing.com
      • This is the base URL you noted from the OAUTH_AUTHORIZATION_ENDPOINT in Part 1, Step 2
  • Retrieve Token Parameters
    • URL: Enter the same Snowflake Account URL: https://<your-company>.snowflakecomputing.com
  • Refresh Token Parameters
    • URL: Enter the same Snowflake Account URL: https://<your-company>.snowflakecomputing.com

All three URL fields (Authorization, Retrieve Token, and Refresh Token) should contain your Snowflake Account URL, however, FME does append the Refresh Token Parameters with the appropriate URL automatically.

 

4. Test the Connection

Before saving, verify your configuration works by clicking Test at the bottom of the web service configuration dialog.

Your system's default browser will then open to Snowflake's authentication page. This happens outside of FME when using Proxy Redirect or Loopback strategies.

 

Complete the authentication flow:

  1. Log in with your Snowflake credentials
  2. If MFA is enabled for your account, complete the MFA challenge
  3. If prompted, consent to the requested role access

 

Once authentication succeeds in your browser, a pop-up will appear. Click Open FME Auth. You should see a confirmation message: "User authorized for… web service"

If the test succeeds, click OK.
 

5. Add a Snowflake Database Connection

Now that your web service is configured, you'll create a database connection that uses this OAuth web service for authentication.

After saving and closing the Manage Web Services dialog, stay in the FME Options window and navigate to:

  • Database Connections → "+" → Add

In the Add Database Connection dialog, select Snowflake from the list of available database formats.

 

6. Link the Database Connection to Your OAuth Web Service

In the Add Database Connection dialog, configure the authentication.

  • Authentication Parameters
    • Authentication: Select OAuth Connection from the dropdown
    • OAuth Connection: Click Add Web Connection

This opens the Add Web Connection dialog. 

 

In the Add Web Connection dialog, configure it as follows:

  • Web Service: Select your newly created Snowflake OAuth web service
    • Example: SNOWFLAKE_FME_OAUTH_INTEGRATION
  • Connection Name: Give this web connection a descriptive name
    • Example: ANALYST_ROLE_SNOWFLAKE_OAUTH
    • This name should reflect the role or purpose of this specific connection

Click OK to save the web connection.

 

FME will prompt you to authenticate this web connection, similar to when you tested the web service. Your browser will open, and you'll complete the Snowflake authentication flow again.
 

7. Complete the Database Connection Configuration

After authenticating the web connection, you'll return to the Add Database Connection dialog. Complete the remaining Snowflake-specific parameters. Required ones being highlighted with a red asterisk:

  • Name: A descriptive name for this database connection (e.g., Snowflake_Production_OAuth)
  • Account Name: Your Snowflake account identifier (e.g., orgname-account123)
  • Warehouse: The Snowflake virtual warehouse you want to use (e.g., COMPUTE_WH)
  • Database: The database containing your target schema (e.g., PRODUCTION_DB)
  • Schema: The schema containing your database resources (e.g., PUBLIC)
  • Role: A role assigned to your user and listed in your integration's PRE_AUTHORIZED_ROLES_LIST (e.g., DATA_ANALYST)

These parameters are case-sensitive and whitespace-sensitive. Ensure they match your Snowflake configuration exactly.

Click Test to verify the full connection works. If successful, you'll see a confirmation message. You can now click OK to save this database connection.

 

You now have a working Snowflake OAuth database connection in FME Form. You can use this connection in your workspaces to read from or write to Snowflake. 

If you're using FME Flow, continue to Part 3 to configure this connection for your Flow environment.

 

Part 3: Upload and Configure for FME Flow

In this section, you'll:

  1. Upload your database connection and web service to FME Flow 
  2. Update the connections in FME Flow to point to the relevant security integration information 
  3. Authenticate the Services and validate that they are configured correctly

If you have not already created a security integration in Snowflake for FME Flow, please follow the steps in Part 1. Snowflake doesn’t allow multiple redirect URIs, so if you intend on using this connection in Form and Flow, you may want to consider creating separate security integrations for both. 

You can test in Form then easily change the redirect URI in Snowflake to use a Flow specific URI. In Snowflake, that would be the Alter Integration command.

As a reminder, when creating the FME Flow security integration in Snowflake, set the parameters:

  • OAUTH_CLIENT_TYPE to 'CONFIDENTIAL' 
  • OAUTH_REDIRECT_URI to use your Flow instance URL

FME Flow uses a different redirect URI than FME Form. Flow needs to receive the OAuth callback at its own server URL, not through Safe Software's proxy or your local machine.

 

1. Upload the Database Connection to FME Flow

In FME Workbench, navigate to:

  • FME Options → Database Connections 

Then right-click on your newly created Snowflake Database Connection and click Upload. This will open an Upload Connection dialog, where you either:

  1. Select the FME Flow instance you want to use, or
  2. Select Connect to FME Flow

 

When prompted, enter your FME Flow connection details (server URL, username, and password). 

Once complete, you'll see an Upload Successful confirmation dialog.

 

2. Upload the Web Connection to FME Flow

Next, upload the web service definition. Navigate to:

  • FME Options → Web Connections → Upload

This uploads your Snowflake OAuth web service configuration to Flow.

 

3. Configure the Web Service in FME Flow

Now you'll update the web service configuration in FME Flow's web interface to match the new redirect URI.

In your browser, log in to your FME Flow web interface and navigate to:

  • Connections & Parameters → Web Connections → Manage Web Services

 

Locate your web service in the Manage Web Services page, and find your uploaded Snowflake web service.  It will have the category oauthv2. Click on it to open the configuration.

 

Update the redirect URI and verify credentials:

  • Redirect URI: Change this to https://<your-fme-flow-url>/fmeoauth
    • Replace <your-fme-flow-url> with your actual FME Flow URL
    • This should match exactly what you set in Snowflake when you created the security integration in Part 1
  • Client Information:
    • Client ID: Verify this matches your Snowflake security integration's Client ID
    • Client Secret: Verify this is correctly populated

Click Save to apply the changes.

 

4. Authorize the Web Connection

After first publishing the connection from Form to Flow, it’s important to re-authenticate in FME Flow, to confirm that it is working:

  • Connections & Parameters → Web Connections

Find your Snowflake web connection in the list, select it, then click Authorize.

 

Your browser will redirect to Snowflake's login page. Log in with a Snowflake account that has appropriate role permissions and complete the OAuth Process. You’ll then be redirected back to your FME Flow instance, where a green check at the end of your Web Connection name will validate that you’re successfully reauthenticated to the webservice.

 

5. Configure the Database Connection in FME Flow

Finally, verify that your database connection is configured correctly in Flow.

In the Connections & Parameters tab, navigate to Database Connections and select your uploaded Snowflake database connection.

 

Verify all configuration details:

  • Parameters: Confirm these match your Snowflake environment:
    • Account Name
    • Warehouse
    • Database
    • Schema
    • Role
  • Authentication Parameters:
    • Authentication: Should be set to OAuth Connection
    • OAuth Connection: Select your configured Snowflake OAuth web connection from the dropdown

Click Save to apply any changes.

 

Your Snowflake OAuth database connection is now configured and authenticated in FME Flow. This connection can be used in any published workspaces, scheduled jobs, or automations running on your FME Flow server.

 

6. Using the Connection and Re-authentication

It’s important to note that you may need to re-authenticate the connection in FME Flow after some time, as tokens expire. Because this OAuth flow uses the Authorization Code Grant, someone needs to complete the authentication flow to generate valid tokens again. 
 

Troubleshooting

Redirect URI Mismatch

Error: "There is a mismatch in the given redirect URI with the one in the registered OAuth client integration."

Solution:

  • Verify the redirect URI in Snowflake exactly matches what FME is sending
    • For FME Form with Proxy Redirect: Use https://fmeauth.safe.com/v1/oauth2
    • For FME Flow: Use https://<your-fme-flow-url>/fmeoauth
  • Check for trailing slashes, capitalization differences, or whitespace

 

Invalid Client Error

Error: "This is an invalid client."

Solution:

  • Verify Client ID is correct (check with DESC SECURITY INTEGRATION)
    • Check for trailing slashes, capitalization differences, or whitespace
  • Verify Client Secret is correct (retrieve with SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS())
    • Check for trailing slashes, capitalization differences, or whitespace
  • Ensure the integration is ENABLED (ENABLED = TRUE)
  • Confirm you're using the correct Snowflake account identifier in URLs

 

Role Access Denied

Error: User cannot access the specified role/ Role not granted to user

Solution:

  • Verify the role is in PRE_AUTHORIZED_ROLES_LIST
  • Ensure the role is assigned to your Snowflake user
  • Check that role name casing matches exactly (roles are case-sensitive)
  • Verify the role has appropriate privileges for the requested operations. 
    • By default, Snowflake often blocks Admin Roles from Authentication for data security reasons. Be sure to authenticate with a non-admin role or make the necessary security integration change.

 

Token Expired

Error: Access token has expired

Solution:

  • FME should automatically refresh tokens using the refresh token, but if the refresh fails, users may need to re-authenticate
  • Consider increasing OAUTH_REFRESH_TOKEN_VALIDITY if tokens expire too quickly
  • Check that OAUTH_ISSUE_REFRESH_TOKENS = TRUE

 

Browser Not Opening (FME Form 2025.2+)

Error: The External browser doesn't open for authentication

Solution:

  • Verify the system default browser is set
  • Supported browsers: Chrome, Edge, Firefox (Windows/Linux), Safari (macOS)
  • Check that firewall settings aren't blocking the authentication URL
  • Try switching between Proxy Redirect and Loopback Interface strategies

 

Additional Resources


 

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.