[CSHARP-2171] SCRAM-SHA-256 Support Created: 02/Feb/18 Updated: 28/Oct/23 Resolved: 18/Jun/18 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.7.0 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Rathi Gnanasekaran | Assignee: | Vincent Kam (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Epic Link: | CSHARP MongoDB 4.0 Support | ||||||||
| Description |
|
The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:
In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see |
| Comments |
| Comment by Githook User [ 18/Jun/18 ] |
|
Author: {'username': 'vincentkam', 'name': 'vincentkam', 'email': 'vincent.kam@10gen.com'}Message: |
| Comment by Jeffrey Yemin [ 04/May/18 ] |
|
I think 3. is the best option. MIT license is permissive enough for use in our project. |
| Comment by Vincent Kam (Inactive) [ 03/May/18 ] |
|
SCRAM-SHA-256 requires implementing Rfc2898 with SHA-256 (see https://tools.ietf.org/html/rfc7677#section-3, and the definition of Hi() under https://tools.ietf.org/html/rfc5802#section-2.2). For SCRAM-SHA-1, a library function called Rfc2898DeriveBytes was used. This function was available for .NET Framwork 4.5 and .NET Standard 1.5, the versions of .NET the C# driver targets. However, for those versions of .NET, Rfc2898DeriveBytes only supports SHA-1. SHA-256 support is available in .NET Framework 4.7.2 (ref) and .Net Core 2.0 (ref). It's worth noting that no version of .NET Standard currently has a version of Rfc2898DeriveBytes that supports SHA-256. After discussing this briefly with jeff.yemin, rstam, and craiggwilson, we have the following options on the table thus far:
On the bright side, using .NET Framework 4.7.2’s Rfc2898DeriveBytes, I was able to get the initial test conversation to pass. |