SnowflakeHook reuses expired OAuth tokens for long-running tasks

[SameerMesiah97]

Apache Airflow Provider(s)

snowflake

Versions of Apache Airflow Providers

apache-airflow-providers-snowflake==6.8.1rc1

Apache Airflow version

3.1.5 & main

Operating System

Debian GNU/Linux 12 (bookworm)

Deployment

Other

Deployment details

No response

What happened

When using SnowflakeHook with OAuth authentication, long-running tasks that reuse the same hook instance fail after the OAuth access token expires. The hook continues to reuse an expired token because it is resolved as part of cached connection parameters, preventing the refresh logic from being re-evaluated. As a result, subsequent Snowflake operations fail with an invalid or expired access token error.

What you think should happen instead

SnowflakeHook should re-evaluate OAuth token validity whenever connection parameters are resolved and refresh the token automatically if it has expired. Long-running tasks that reuse the same hook instance should continue to operate successfully without authentication errors, while static connection parameters remain cached and unchanged.

How to reproduce

1. Create a Snowflake connection in Airflow using OAuth with the refresh_token grant type. The default Snowflake OAuth access token lifetime should be 10 mins.

2. Add the following DAG, which reuses a single SnowflakeHook instance across multiple operations:

from datetime import datetime
import time

from airflow.decorators import dag, task
from airflow.providers.snowflake.hooks.snowflake import SnowflakeHook


@task
def long_running_snowflake_task():
    hook = SnowflakeHook(snowflake_conn_id=[Connection ID])

    hook.run("SELECT 1")

    # Sleep longer than the default OAuth token lifetime (10 minutes)
    time.sleep(11 * 60)

    hook.run("SELECT 1")


@dag(start_date=datetime(2025, 12, 1))
def snowflake_oauth_expiry_repro():
    long_running_snowflake_task()


dag = snowflake_oauth_expiry_repro()

3. Trigger the DAG and wait for the task to complete the sleep period.

4. The DAG should fail and you should see the following error messsage in the task execution logs for long_running_snowflake_task:

DatabaseError: 250001 (08001): Failed to connect to DB:
<account>.snowflakecomputing.com:443.
OAuth access token expired. [error code redacted]

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[Rishu-raj-02]

i would really like to work on this and contribute in this.

[SameerMesiah97]

i would really like to work on this and contribute in this.

Thank you for showing interest but there is already a PR for this. But you are free to review it and offer any suggestions for improvement.

On a separate note, I would advise you to search for issues with a 'good first issue' label if you wish to start contributing to airflow.

[SameerMesiah97]

PR #60027 has been opened to fix this bug as part of a refactoring effort to improve the overall quality of the OAuth authentication flow within the SnowflakeHook.

Also, it would be appropriate if this issue was assigned to myself to avoid ambiguity.