Major - P3
Update 2018-03-01: the updated auth spec is now available. Testing will require a master nightly server release (or waiting for 3.7.3).
The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:
In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see
DRIVERS-444), all drivers should take steps now to ensure their SCRAM libraries are capable of operating in SHA-256 mode, using the sample conversation for verification. (You'll need for force the client nonce to be "rOprNGfwEbeRWgbNEkqO" for the test conversation to work.)
Drivers should validate when they have an RFC-7677 compliant SCRAM-SHA-256 implementation. An additional drivers ticket will be opened for Auth Spec changes based on the server's actual implementation.
As of MongoDB 3.7.3 it is possible to create SCRAM-SHA-256 users for testing and development:
The server has to be in 4.0 feature compatibility mode for SCRAM-SHA-256 credentials to be created. See
SERVER-32974 for more details.
Update 2/22 - The default FCV is now 4.0 in MongoDB master, enabling SCRAM-SHA-256 support by default.