SNOW-2466263: OIDC Token Refresh flow not implemented

[sblackstone]

The documentation I have linked below suggests that I use OIDC auth with Azure Kubernetes, however if I do this and sql db needs to open new connections after the token's expiration, I don't see any mechanism that would allow this to work - there is no refresh for the OIDC token.

Am I not supposed to use this driver as a long running pool? I'm not sure how to square these docs below with what I can find in the driver code and the experiments I've run.

https://docs.snowflake.com/en/user-guide/workload-identity-federation#authenticate-to-snowflake-using-an-openid-connect-oidc-issuer-from-microsoft-azure-kubernetes

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

1. What version of GO driver are you using?
   1.17.0

2. What operating system and processor architecture are you using?
   Linux/amd

3. What version of GO are you using?
   1.25.3

4.Server version:* E.g. 1.90.1
9.33.0

5. What did you do?

See above.

6. What did you expect to see?

See above.

7. Can you set logging to DEBUG and collect the logs?

Let me know if theres something you need on this.

[sfc-gh-dszmolka]

hey @sblackstone of course the driver meant to be used even for long-running applications. I'm not sure if OIDC even issues refresh tokens and if it does, is this flow implemented at all in any of the Snowflake drivers (not just this one) . I need to research a bit here and will get back to you.

[sfc-gh-dszmolka]

okay so after a short sync with the team here, it looks like this flow is not implemented - anywhere. Any of the Snowflake drivers. We need to work on that; no timeline attached. Thank you for bearing with us.

[sblackstone]

Thanks for looking at this..

Another (somewhat related) thing I noticed while I was digging into this was that tokenfilepath is not settable as a configuration option except via the DSN (it probally should be available in the config as well).

And even if you do set it, it is ignored for OIDC because

func shouldReadTokenFromFile(cfg *Config) bool {
	return cfg != nil && cfg.Authenticator == AuthTypeOAuth && len(cfg.Token) == 0
}

... only allows the token to be read for type=OAUTH.

OIDC and OAuth seem to share the token variable, so this restriction should probally be relaxed and brought into line with the python connector which suports toke_file_path for OIDC.