Hi,
We are trying to connect the snowflake server from apigee using snowflake OAuth token as an authorization method. Initially When I tried to generate OAuth token using the refresh token getting the 400-Bad request and response as below.
curl -X POST -H 'Authorization: *****' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=refresh_token&refresh_token=ver%3A2-hint%3A289403486519342-did%3A2001-ETMsDgAAAYSGNSIZABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEOngcYD4Aya%2By4t40rABNkAAAADwZj1fLCAyWbJhXxcNEgk0rP0IpMBdaNNGkYtaSatgYS0TCz9VZLlOr4G8EyY53emPJUXHdHEe%2Fy%2FUEQ14Nqb1KfJndzTo%2Ble%2BtuOZbAHMzv3CNnYResv5wlyaJitA3OdHu%2Bhxf64RLhHpNsGf2qoKN4mO1Dhvg%2F3s2yiusintortI8zEGZKzg4LH38W0g7qnVHZPOCi%2F7fk1KgdtEfHsk1gahpMjv%2Fs6%2F1PV1dj8Of9IHUzynjDIKYqyQa46qWGnqyJtu1aPllbfa5wG0p%2Ba1zeGf%2FpsMvtI09AZwOJAij%2F3HAXcAa%2FV%2Bs.....' 'https://tjx_sec.east-us-2.azure.snowflakecomputing.com/oauth/token-request'
Solved! Go to Solution.
I can only guess as to the reason.
One possibility is ... the Snowflake OAuth2 endpoint is refusing to refresh a token, when the request-for-refresh-token arrives from an IP address that does not match the IP address of the machine that originally requested the token. This would be a reasonable restriction for Snowflake to make, in order to prevent token "leakage".
I don't know anything about Snowflake but after I wrote the above (I swear!), I found this which may be related. It refers to an IP address restriction.
My suggestion is to ask your snowflake administrator to tell you what the network policy is, and inquire if it is possible to modify the policy to allow different IP addresses. If you use Apigee X or hybrid then there will be a specific set of IP addresses that Apigee will use for outbound calls. Allow THOSE addresses in the snowflake policy in order to enable that refresh_token call.
I can only guess as to the reason.
One possibility is ... the Snowflake OAuth2 endpoint is refusing to refresh a token, when the request-for-refresh-token arrives from an IP address that does not match the IP address of the machine that originally requested the token. This would be a reasonable restriction for Snowflake to make, in order to prevent token "leakage".
I don't know anything about Snowflake but after I wrote the above (I swear!), I found this which may be related. It refers to an IP address restriction.
My suggestion is to ask your snowflake administrator to tell you what the network policy is, and inquire if it is possible to modify the policy to allow different IP addresses. If you use Apigee X or hybrid then there will be a specific set of IP addresses that Apigee will use for outbound calls. Allow THOSE addresses in the snowflake policy in order to enable that refresh_token call.