Support passing an OAuth scope parameter in Snowflake client_credentials flow

[bmanan7]

Description

Feature Description (Required)

Extend SnowflakeHook.get_oauth_token so that connections using the client_credentials grant can optionally provide an OAuth scope. The value should come from a new connection-extra field (for example oauth_scope) and be included in the POST body when requesting the token. Existing behavior stays unchanged if no scope is supplied.

Root Problem

Many identity providers including Okta require/ recommends a scope for client-credentials exchanges. The current hook sends only grant_type (and defaults to no scopes), so customers must either override the hook in their deployments or weaken their IdP policies.

User Impact (Required)

Without this option, users can’t complete the OAuth handshake with providers that mandate scopes. Connections fail with access_denied errors, forcing teams to ship custom patches or abandon client-credentials altogether.

Acceptance Criteria

A connection extra (e.g., oauth_scope) is documented and honored for Snowflake OAuth.
When the extra is present, get_oauth_token includes scope= in the token request.
Leaving the field empty preserves today’s behavior.
Unit tests cover the scope-enabled branch and the default path.

Docs Info Needed

Update the Snowflake connection how-to to list the new extra and explain when to use it.

User stories

No response

Additional Notes

Snowflake's OAuth docs allow scope in client-credentials, and IdPs like Okta enforce/ requires it most of the times. This mirrors the existing Azure pattern (azure_oauth_scope → sent as scope).

Use case/motivation

Many customer IdPs (e.g., Okta, Auth0) are commonly configured to require a scope for client-credentials flows. While not always mandatory, this is a typical security setup. Because SnowflakeHook.get_oauth_token can’t currently include a scope, these configurations cause token requests to fail, forcing users to apply custom patches or relax IdP settings. Supporting an optional scope field allows the hook to work with these standard enterprise configurations without workarounds.

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[SameerMesiah97]

Can this be assigned to me?

[Vishalup29]

Hi, I am a first time contributor and have opened a PR for this issue: #58863
Pls review. I am open to feedbacks and guidance.

[potiuk]

First make sure it's green :)

[ali-m07]

Hi! I'm interested in working on adding OAuth scope parameter support for Snowflake. Can I be assigned to this issue?

[SameerMesiah97]

I’ve opened a PR #58871 that addresses this issue. I’m aware of the existing PR #58863, but my PR considers cases that were not covered in the earlier implementation.