[BUG] Can't specify OAuth scope for Snowflake MCP
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When using a Snowflake-managed MCP server with OAuth authentication, Claude Code requests the scope session:role:all by default. However, in my company, the Snowflake OAuth is configured to disallow this, and instead, requires a specific Snowlfake role called out in that request (e.g. session:role:ANALYST_ROLE).
What Should Happen?
Users should be able to specify a custom OAuth scope in the MCP server configuration, e.g.:
{
"mcpServers": {
"snowflake": {
"type": "http",
"url": "https://...",
"oauth": {
"scope": "session:role:ANALYST_ROLE"
}
}
}
}
Error Messages/Logs
Steps to Reproduce
I added the Snowflake-managed MCP like this:
MCP_CLIENT_SECRET="..." \
claude mcp add --transport http --scope user \
--client-id "..." \
--client-secret \
--callback-port 6274 \
snowflake \
https://[account].snowflakecomputing.com/api/v2/databases/[db]/schemas/[schema]/mcp-servers/[mcp-server]
Snowflake OAuth has been configured like this:
CREATE OR REPLACE SECURITY INTEGRATION oauth_claude_code_localhost
TYPE = OAUTH
OAUTH_CLIENT = CUSTOM
ENABLED = TRUE
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'http://localhost:6274/callback'
OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE // required for non-TLS localhost redirect endpoint
OAUTH_USE_SECONDARY_ROLES = NONE // this disables session:role:all
PRE_AUTHORIZED_ROLES_LIST = ([roles allowed for MCP use, most users have multiple roles])
BLOCKED_ROLES_LIST = ('SYSADMIN', 'USERADMIN', [a bunch of roles]);
When attempting to authenticate this Snowflake-managed MCP Server with OAuth via /mcp interface, Claude Code opens this URL:
https://[ACCOUNT-NAME].snowflakecomputing.com/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Fcallback&state=...&scope=session%3Arole%3Aall&resource=...
Since this scope is disabled from Snowflake side, I get the following error:
The role ALL requested has been explicitly blocked for use with this application by an administrator. Please try logging in with a different role, or contact your administrator.
Manually editing the authorization URL during the OAuth flow to replace session:role:all with session:role:<specific_role> results in successful authentication, confirming this is purely a scope configuration issue.
https://[ACCOUNT-NAME].snowflakecomputing.com/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Fcallback&state=...&scope=session%3Arole%3AANALYST_ROLE&resource=...
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.81
Platform
AWS Bedrock
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
Why this matters: Least privilege principle. Without this scope configurability, Claude Code can't use MCPs in security-conscious environments.
This issue has 13 comments on GitHub. Read the full discussion on GitHub ↗