Hello! 
Here is a suggestion to increase the security of OAuth connections (when connecting to external services, such as Snowflake):
-
Rather than using the same generic redirect URL for all customers (
https://oauth.retool.com/oauth/user/oauthcallback), you should add a unique identifier for each customer in the URL (ex:https://oauth.retool.com/oauth/user/oauthcallback/my_retool_account_name). -
When you receive those OAuth callbacks, you would just have to validate that the unique identifier in the redirect URL matches the customer/account that is trying to log in.
-
That redirect URL is hardcoded in the external service (e.g. Snowflake), which would create a hard/unique/secure link between one specific Snowflake account and one specific Retool account (i.e. that OAuth client/integration can only be used with that specific destination URL/account).
-
That way, even if the OAuth client ID & secret are compromised, a hacker still couldn't connect from own their Retool account (or from anywhere else).
Security is important, and although OAuth is already pretty secure, this would make it even more secure! And it seems like a quick win.
In light of all the data breaches we hear about constantly (and the recent ones with a few Snowflake customers), I hope this can get prioritized eventually! 
Thank you!
Great idea.