Minimal bits to make Snowflake SPCS OIDC authentication work

costrouc · costrouc · commit 9a6bacfdf279 · 2025-10-23T23:36:03.000-04:00
This commit is mainly meant as an example to complement changes in how we will be performing authentication within the Snowflake Posit Team Native Application. When / if that PR of work for OIDC goes through this will serve as a good example of how it can be supported. I think this PR also highlights the importance of OIDC device flow authentication which is supported in PPM https://packagemanager.rstudio.com/__docs__/admin/appendix//cli/rspm_login_sso.html which would again eliminate the need for an api key. I REALLY like how this package uses the snow command to generate the jwt used for snowflake ingress as this means our Posit libraries don't have to re-implement the snowflake authentication. Going to put this PR in draft and will contribute more after I share this with our team tomorrow at Standup.
diff --git a/rsconnect/api.py b/rsconnect/api.py
@@ -246,6 +246,7 @@ class SPCSConnectServer(AbstractRemoteServer):
     def __init__(
         self,
         url: str,
+        api_key: str,
         snowflake_connection_name: Optional[str],
         insecure: bool = False,
         ca_data: Optional[str | bytes] = None,
@@ -256,7 +257,7 @@ def __init__(
         self.ca_data = ca_data
         # for compatibility with RSConnectClient
         self.cookie_jar = CookieJar()
-        self.api_key = None
+        self.api_key = api_key
         self.bootstrap_jwt = None
 
     def token_endpoint(self) -> str:
@@ -396,6 +397,7 @@ def __init__(self, server: Union[RSConnectServer, SPCSConnectServer], cookies: O
         if server.snowflake_connection_name and isinstance(server, SPCSConnectServer):
             token = server.exchange_token()
             self.snowflake_authorization(token)
+            self._headers["X-RSC-Authorization"] = server.api_key
 
     def _tweak_response(self, response: HTTPResponse) -> JsonData | HTTPResponse:
         return (
diff --git a/rsconnect/main.py b/rsconnect/main.py
@@ -584,7 +584,7 @@ def add(
 
         if server and ("snowflakecomputing.app" in server or snowflake_connection_name):
 
-            real_server_spcs = api.SPCSConnectServer(server, snowflake_connection_name)
+            real_server_spcs = api.SPCSConnectServer(server, api_key, snowflake_connection_name)
 
             _test_spcs_creds(real_server_spcs)
 
