Snowflake: add connectionName config field and session-token auth in SnowflakeClient#6
Draft
costrouc wants to merge 2 commits into
Draft
Snowflake: add connectionName config field and session-token auth in SnowflakeClient#6costrouc wants to merge 2 commits into
connectionName config field and session-token auth in SnowflakeClient#6costrouc wants to merge 2 commits into
Conversation
Adds an optional, non-secret `connectionName` to the snowflake connection sub-section so a consumer can record which connections.toml connection to use for Snowflake Cortex. Regenerates providers.schema.json. Non-vocabulary change; the shape guard is unaffected.
…rowser SSO External-browser SSO yields a Snowflake session token that must be sent as `Authorization: Snowflake Token="<token>"` rather than a Bearer token. When the credential's `X-Snowflake-Authorization-Token-Type` header is the internal `SESSION` sentinel, the client installs that header via a fetch wrapper on both the Anthropic (Claude) and OpenAI paths and strips the sentinel before sending. Keypair/PAT/OAuth Bearer paths are unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two small, backward-compatible changes that let Posit Assistant drive Snowflake
Cortex from a user's
connections.toml(the file the Python connector / SnowflakeCLI use):
ai-config— a non-secretconnectionNamefield on thesnowflakeconnection sub-section, so a consumer can record which named connection to
use.
ai-provider-bridge—SnowflakeClientsupport for the session-tokenauth scheme, needed for external-browser (SSO) sign-in.
All the discovery/parsing, token acquisition, and UI live in the consumer
(
posit-dev/assistant, companion PR); this PR is only the enablingai-libprimitives.
Changes
ai-configsnowflakeConfigSchemagains an optionalconnectionName: z.string().ResolvedConnection.snowflakegainsconnectionName?: string.providers.schema.json.The field is optional and non-secret; it flows through the existing
connection-resolution/merge path with no other changes. It is not part of the
provider/protocol/client-kind vocabulary, so the cross-package shape guard is
unaffected.
ai-provider-bridgeSnowflakeClientnow recognizes an internal sentinel value (SESSION) on theX-Snowflake-Authorization-Token-Typeheader. When present, the clientauthenticates with
Authorization: Snowflake Token="<token>"(the schemeSnowflake session tokens use) instead of a Bearer token, via a
fetchwrapperapplied on both the Anthropic (Claude) and OpenAI paths. The sentinel
header is stripped before the request is sent.
branch only activates when a caller opts in with the sentinel.
Why a
fetchwrapper:authorizationis on the SDK-managed header filter, so asession token can't be injected via
customHeaders; wrappingfetchis thereliable way to set the final
Authorizationheader after the SDK builds therequest.
Why
Snowflake Cortex's REST API accepts different auth schemes depending on the
credential:
Authorization: Bearer <token>+ a token-typeheader (already supported), and
Authorization: Snowflake Token="<token>"(this PR).Recording the selected
connectionName(non-secret) inproviders.jsonlets theconsumer resolve the right connection on each request without persisting secrets.
Testing
npm run build(regeneratesproviders.schema.json)npm run check-types— per-workspace typechecks + the cross-package shapeguard all pass
npm test—ai-config(173) andai-provider-bridge(210) suites passCompatibility / risk
connectionNameis optional; theSESSIONpath isinert unless a caller sends the sentinel. No behavior change for existing
providers or Bearer-based Snowflake auth.
Companion PR
Consumed by
posit-dev/assistant(Snowflakeconnections.tomldiscovery,per-authenticator token acquisition, connection-selection UI). That PR pins the
submodule to this commit.