Error retrieving metadata: Invalid OAuth access token when accessing JDBC data source for Snowflake

[Alexander Osipov]

Has anybody successfully configured the JDBC data source with OAuth support in Spotfire? Could you please share your experience?

Since version 12, Spotfire Information Services supports OpenID Connect to authenticate to the JDBC data sources, where Spotfire Server collects the access token created during login and passes it on to the JDBC data source driver so that users can seamlessly access data sources using their own identity.

I need help authenticating to the Snowflake JDBC endpoint using such an approach. I can create a data source using Information Designer and even validate the created object. However, when I'm trying to expand the data source and see the tables, I'm getting - the "Error retrieving metadata: Invalid OAuth access token" error.

I've already configured OpenID Connect authentication, and users can log in to Spotfire using Microsoft Azure. I also created a JDBC data source template with OAuth support for Snowflake. And I can log in to the Snowflake outside of Spotfire using tools like DBeaver and Postman, so my setup is correct.

[Fredrik Rosell]

Hello Alexander,

This is Fredrik Rosell with TIBCO Support. I'm mainly writing this addressed at any else that find this post, as we are already working with you, together with our partner PerkinElmer, on investigating your particular issue. 

We (TIBCO) are currently working with several different Spotfire users that have reported having problems getting this particular combination - Snowflake JDBC + OAuth - working. I just want to recommend anyone else also having issues with this to open a support case so we can work with you to investigate (or monitor this community post, and we will aim to update it once we have a solution/more information).  

[Fredrik Rosell]

Just for logging here, the issue was resolved by setting the scope for the oidc provider.

The prerequisites are documented here: 

Using OAuth2 with Information Services

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/using_oauth2_information_services.html

Advanced OpenID Connect settings: https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/advanced_openid_connect_settings.html

[James Bailey]

Can you please share the data source template that is working correctly? What is the scope for the oidc provider?

[Fredrik Rosell]

Hello James,

I just want to acknowledge your request here. I have been monitoring/is involved in the back-end of the case you already have open with Spotfire Support about your issue. I had hoped to have been able to share the requested information here (a long time ago), but as we are still working with you to troubleshoot and don't yet fully understand the particular issues you are encountering, I will wait until that issue has been fully understood/resolved before publishing additional information here.

 

[James Bailey]

We still don't have a resolution for this issue. Can you please share the details of how you set the scope for the oidc provider.

[Fredrik Rosell]

Hello James,

Snowflake + JDBC + OAuth2 has been a continued source of issues so I'm afraid I don't have a good answer for you at this point. The latest Spotfire release - 12.5 - opens up more options as you can now e.g. initiate OAuth2 flows from Information Services (https://community.spotfire.com/s/article/What-s-New-in-Spotfire-12-5) and there has been various other improvements as part of introducing/testing that. I believe you are already testing that version which is good/increases the chances that a solution can be found. We'll work with you through the support case to investigate further.