Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-707

Support shorter SCRAM conversation

    XMLWordPrintable

Details

    • Epic
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • None

    Description

      Epic Summary

       

      Summary

      This project will shorten the SCRAM conversation between client and server. The SCRAM handshake involves the following steps:

      1. The client advertises the name of the user it wishes to authenticate as.
      2. The server replies with user-specific mechanism parameters
      3. The client sends a proof of knowledge derived from the parameters and the password.
      4. The server replies with a proof that it knew the password.
      5. The client sends an empty message.
      6. The server replies with an empty message, along with the

        {done: true}

        flag.

      We will remove steps 5 and 6, and the server will advertise

      {done: true}

      in step 4.

      Clients can opt into the shorter SCRAM conversation with the following saslStart command:

      {
        saslStart: 1,
        mechanism: 'SCRAM-SHA-256',
        options: { skipEmptyExchange: true },
        payload: '...',
      }
      

      Note that older server versions will ignore the options, so no wire version check is required. The options can be sent to all server versions. Older server versions will just continue to use the longer SASL conversations, so clients needing to authenticate to pre-4.4 servers have to be able to handle both types of exchanges. 

      Documentation

      Relevant spec change

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              backlog-server-pm Backlog - Core Eng Program Management Team
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: