[BUG] Can't specify OAuth scope for Snowflake MCP

Resolved 💬 13 comments Opened Apr 2, 2026 by davidlee-ca Closed Apr 15, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When using a Snowflake-managed MCP server with OAuth authentication, Claude Code requests the scope session:role:all by default. However, in my company, the Snowflake OAuth is configured to disallow this, and instead, requires a specific Snowlfake role called out in that request (e.g. session:role:ANALYST_ROLE).

What Should Happen?

Users should be able to specify a custom OAuth scope in the MCP server configuration, e.g.:

{
  "mcpServers": {
    "snowflake": {
      "type": "http",
      "url": "https://...",
      "oauth": {
        "scope": "session:role:ANALYST_ROLE"
      }
    }
  }
}

Error Messages/Logs

Steps to Reproduce

I added the Snowflake-managed MCP like this:

MCP_CLIENT_SECRET="..." \
claude mcp add --transport http --scope user \
  --client-id "..." \
  --client-secret \
  --callback-port 6274 \
  snowflake \
  https://[account].snowflakecomputing.com/api/v2/databases/[db]/schemas/[schema]/mcp-servers/[mcp-server]

Snowflake OAuth has been configured like this:

CREATE OR REPLACE SECURITY INTEGRATION oauth_claude_code_localhost
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  ENABLED = TRUE
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'http://localhost:6274/callback'
  OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE  // required for non-TLS localhost redirect endpoint
  OAUTH_USE_SECONDARY_ROLES = NONE  // this disables session:role:all
  PRE_AUTHORIZED_ROLES_LIST = ([roles allowed for MCP use, most users have multiple roles])
  BLOCKED_ROLES_LIST = ('SYSADMIN', 'USERADMIN', [a bunch of roles]);

When attempting to authenticate this Snowflake-managed MCP Server with OAuth via /mcp interface, Claude Code opens this URL:

https://[ACCOUNT-NAME].snowflakecomputing.com/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Fcallback&state=...&scope=session%3Arole%3Aall&resource=...

Since this scope is disabled from Snowflake side, I get the following error:

The role ALL requested has been explicitly blocked for use with this application by an administrator. Please try logging in with a different role, or contact your administrator.

Manually editing the authorization URL during the OAuth flow to replace session:role:all with session:role:<specific_role> results in successful authentication, confirming this is purely a scope configuration issue.

https://[ACCOUNT-NAME].snowflakecomputing.com/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Fcallback&state=...&scope=session%3Arole%3AANALYST_ROLE&resource=...

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.81

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

Why this matters: Least privilege principle. Without this scope configurability, Claude Code can't use MCPs in security-conscious environments.

View original on GitHub ↗

This issue has 13 comments on GitHub. Read the full discussion on GitHub ↗