Skip to main content
For authenticating Snowflake users with Okta, see Snowflake + Okta External OAuth.

Requirements

To follow the steps in this guide, you’ll need:
  • In Omni:
  • A Snowflake service account with access to all schemas and tables you want to use in Omni. This is required even when OAuth is enabled, because Omni uses the service account to build the model.
Before continuing, review the OAuth limitations.

Setup

1

Create a Snowflake OAuth integration

Create an OAuth integration in Snowflake using https://callbacks.omniapp.co/callback/oauth as the OAUTH_REDIRECT_URI, then retrieve the Client ID and Client Secret. Refer to Snowflake’s OAuth documentation for instructions.
Vanity-domain embed users: If you’re using OAuth with vanity-domain embeds, you’ll also need to register your vanity domain’s OAuth callback URL. Run the following command in Snowflake to add the vanity callback URL to your existing OAuth integration:
ALTER SECURITY INTEGRATION <your-integration-name>
  SET OAUTH_REDIRECT_URI = 'https://callbacks.omniapp.co/callback/oauth,https://<your-vanity-domain>/oauth/callback';
Replace <your-integration-name> with your integration’s name and <your-vanity-domain> with your vanity domain (e.g., omni.myapp.com).
2

Configure the connection in Omni

You must still configure a service account on this connection. Omni uses the service account to build the model, which provides the foundation for all user queries.
This guide assumes you have an existing Snowflake connection in Omni. If you don’t, refer to Connecting a Snowflake database for more information.
  1. In Omni, navigate to Settings > Connections and click on the Snowflake connection you want to use.
  2. Fill in the fields as follows:
    • Authentication Type - Select OAuth User Authentication
    • OAuth Client ID - Enter the Client ID from the previous step
    • OAuth Client Secret - Enter the Client secret from the previous step
    • Warehouse - Optional: Leave blank to use each user’s DEFAULT_WAREHOUSE from Snowflake. This enables per-user warehouse routing for organizations using role-to-warehouse mappings in Snowflake for cost attribution. Users must have an assigned default warehouse to use this feature. Otherwise, users without a default warehouse will receive a No active warehouse error when they attempt to run queries in Omni.
  3. Save the connection settings.
3

Verify the user experience

After saving, each Omni user will be prompted to authenticate with Snowflake the first time they run a query in a workbook or dashboard. This prompt reappears when their OAuth token expires.Once authenticated, Omni uses the user’s database permissions in place of the service account for all queries that user runs.
Running into issues? See the Troubleshooting Snowflake OAuth for help with diagnosing and resolving common Snowflake OAuth problems.

Next steps

To ensure database permissions align with what users see in Omni, we recommend implementing:
  • Access grants to control which fields and tables are visible to each user in the model and field browser
  • Content permissions to control which dashboards and documents users can access