CDRIVER-2150 implemented caching for SCRAM-SHA-1 by tracking the client key, server key, and salted password on the mongoc_cluster_t object. Once cached, those values are then used for all subsequent SCRAM authentications for the same cluster/client.
PHPC-1022, we discovered that this behavior was the cause of occasional authentication failures for persisted libmongoc clients. While the client error was vague, the server logs indicated:
AuthenticationFailed: SCRAM-SHA-1 authentication failed, storedKey mismatch
Looking at 16e8333 for
scram_sha1_client_cache.cpp uses the following pre-secrets as its hash key:
- hashed password
- iteration count
Rather than maintain a single cache entry for the entire cluster, libmongoc should cache its secrets by an n-tuple of the above pre-secrets. This cache need not be limited to mongoc_cluster_t. We can have _mongoc_scram_startup() (called by _mongoc_do_init() initialize a global hash table for use by all libmongoc clients. This will allow us to remove any notion of caching from mongoc-cluster.c and contain it within mongoc-scram.c. That hash table can later be freed in a new _mongoc_scram_cleanup() function, which can be invoked by _mongoc_do_cleanup().
- is depended on by
PHPC-1022 Sporadic SCRAM-SHA-1 authentication failures due to "storedKey mismatch"
- is related to
CDRIVER-2150 Cache SCRAM-SHA-1 ClientKey
DRIVERS-343 Cache SCRAM ClientKey