Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Snowflake Connections with SSO create infinite loop of auth when trying to reconnect

See original GitHub issue

System information:

Operating system: MacOS 10.14.06, Ubuntu 18.04, others
DBeaver version: 7.0.3 (and prior)
Additional extensions: None

Connection specification:

Database name and version: Snowflake
Driver name: snowflake-jdbc-3.12.0.jar
Do you use tunnels or proxies (SSH, SOCKS, etc)? No

Describe the problem you’re observing:

When trying to run a query on a timed-out connection to Snowflake with an Okta SSO authentication, the client goes into an infinite auth loop and never resolves.

Typically on a new connection to Snowflake, 2-3 requests are made to SSO via local browser to authenticate to Okta before the full connection is established. However, if a connection was already opened (say with an open sql tab), and that connection had timed out, the next time a query is run, DBeaver will attempt to reconnect and create an unresolved auth loop, causing the connection to never be established, but constantly keep trying to authenticate with new browser windows.

The only resolution when this starts I have found is to fully quit DBeaver and restart it once the loop is established. -OR- If you know the connection has timed out, Reconnect to Dbeaver explicitly before trying to run ANY query.

This is especially burdensome when MFA is enabled on the account.

Steps to reproduce, if exist:

Open a connection to Snowflake with SSO (external browser) authentication.
Allow the connection to timeout (or lose network connection).
Run any query. (Even select 1;)
Watch as Dbeaver tries to authenticate, but open a bazillion browser connections to Okta.

Include any warning/errors/backtraces from the logs

From dbeaver-debug.log

> Start Draw2d [org.eclipse.draw2d 3.10.100.201606061308]
> Start DBeaver Generic UI Plug-in [org.jkiss.dbeaver.ext.generic.ui 1.0.7.202004191823]
> Start DBeaver MySQL Support [org.jkiss.dbeaver.ext.mysql 2.1.116.202004191823]
> Start DBeaver UI Editors - Connections [org.jkiss.dbeaver.ui.editors.connection 1.0.22.202004191823]
> Start DBeaver Snowflake UI [org.jkiss.dbeaver.ext.snowflake.ui 1.0.51.202004191823]
> Start DBeaver SSH tunnels [org.jkiss.dbeaver.net.ssh.ui 1.0.52.202004191823]
> Start DBeaver SSH tunnels [org.jkiss.dbeaver.net.ssh 1.0.52.202004191823]
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...

From .log (there are several of these repeating errors)

!STACK 0
java.lang.NullPointerException
	at org.eclipse.swt.graphics.Image.internal_new_GC(Image.java:1628)
	at org.eclipse.swt.graphics.GC.<init>(GC.java:262)
	at org.eclipse.swt.graphics.GC.<init>(GC.java:223)
	at org.eclipse.jface.text.source.LineNumberRulerColumn.doubleBufferPaint(LineNumberRulerColumn.java:693)
	at org.eclipse.jface.text.source.LineNumberRulerColumn.lambda$2(LineNumberRulerColumn.java:619)
	at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:234)
	at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
	at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4387)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1512)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1535)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1520)
	at org.eclipse.swt.widgets.Control.drawWidget(Control.java:1266)
	at org.eclipse.swt.widgets.Canvas.drawWidget(Canvas.java:176)
	at org.eclipse.swt.widgets.Widget.drawRect(Widget.java:776)
	at org.eclipse.swt.widgets.Canvas.drawRect(Canvas.java:170)
	at org.eclipse.swt.widgets.Display.windowProc(Display.java:6000)
	at org.eclipse.swt.internal.cocoa.OS.objc_msgSendSuper(Native Method)
	at org.eclipse.swt.widgets.Display.applicationNextEventMatchingMask(Display.java:5265)
	at org.eclipse.swt.widgets.Display.applicationProc(Display.java:5673)
	at org.eclipse.swt.internal.cocoa.OS.objc_msgSend(Native Method)
	at org.eclipse.swt.internal.cocoa.NSApplication.nextEventMatchingMask(NSApplication.java:92)
	at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3785)
	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1160)
	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1049)
	at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
	at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:658)
	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
	at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:557)
	at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:154)
	at org.jkiss.dbeaver.ui.app.standalone.DBeaverApplication.start(DBeaverApplication.java:233)
	at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:137)
	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:107)
	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:401)
	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:657)
	at org.eclipse.equinox.launcher.Main.basicRun(Main.java:594)
	at org.eclipse.equinox.launcher.Main.run(Main.java:1447)

Issue Analytics

State:
Created 3 years ago
Comments:8 (2 by maintainers)

Top GitHub Comments

1reaction

uslsscommented, Jun 10, 2020

thanks for the bug report

0reactions

GTLangsethcommented, Dec 4, 2020

I wrote to Snowflake about this issue and found a solution that can be set up server-side: https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-use.html#optional-using-connection-caching-to-minimize-the-number-of-prompts-for-authentication

This enables token caching for the MFA auth. It solved this problem for me because DBeaver can then re-use the auth token from the initial MFA request.

Top Results From Across the Web

Managing/Using Federated Authentication

To connect through Okta SSO with MFA, Snowflake requires using browser-based SSO. If you are using native SSO for Okta, MFA is not...

How to reject IdP-initiated SSO authentication with Spring ...

I just want authentication to fail. Which is why I throw a UsernameNotFoundException from my implementation of SAMLUserDetailsService.

Native Snowflake support : DBE-3024 - JetBrains YouTrack

I was noticing that anytime I needed to connect via new tab or when clicking through I have to re-auth via the push...

SnowMirror Administrator Guide

All the SnowMirror installations connect to the same configuration and mirror database. If you create a synchronization on the first SnowMirror installation, ...

Custom data connectors to Fivetran

Learn about Fivetran Cloud Function connectors. ... return an updated state to checkpoint the data fetched in that request and avoid an infinite...