[DRIVERS-166] Implement the SCRAM-SHA-1 SASL Mechanism Created: 09/Jun/14  Updated: 27/May/22  Resolved: 31/Jan/15

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Craig Wilson Assignee: Craig Wilson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-14830 SCRAM-SHA-1 conversations fail to com... Closed
depends on JAVA-828 Support SASL SCRAM-SHA1 authentication Closed
depends on JAVA-1461 Support authentication mechanism nego... Closed
depends on NODE-230 Implement the SCRAM-SHA-1 SASL Mechanism Closed
depends on PYTHON-706 Implement SCRAM-SHA-1 Authentication ... Closed
depends on SERVER-7596 Support SCRAM-SHA-1 SASL Mechanism Closed
depends on CSHARP-990 Implement SCRAM-SHA-1 Authentication ... Closed
depends on CXX-298 Implement the SCRAM-SHA-1 SASL Mechanism Closed
depends on CDRIVER-404 Implement the SCRAM-SHA-1 SASL Mechanism Closed
depends on PYTHON-764 SCRAM-SHA-1 upgrade / downgrade support Closed
depends on RUBY-791 Implement the SCRAM-SHA-1 SASL Mechanism Closed
Related
related to CXX-394 Do not use MONGODB-CR for recent 2.7 ... Closed
is related to SERVER-16167 2.8.0-rc0 shell can't auth to a 2.4 s... Closed
is related to SERVER-15177 Use native SCRAM-SHA-1 in Enterprise ... Closed
is related to SERVER-15179 Upgrade/downgrade steps MONGODB-CR ->... Closed
Epic Link: Authentication
Server Compat: 2.7
Driver Compliance:
Key Status/Resolution FixVersion
CSHARP-990 Done 1.10
PYTHON-706 Done 2.8, 3.0
JAVA-828 Done 2.13.0, 3.0.0
CDRIVER-404 Done 1.1.0
RUBY-791 Done 1.12, 2.0.0
NODE-230 Done 2.0, 1.4.11, 1.4.13
PERL-408 Done 0.706.0.0, 1.0.0
PHP-1161 Done 1.6.0RC1, 1.6.0
CXX-298 Done legacy-1.0.0-rc1
JAVA-1461 Done 2.13.0, 3.0.0
PYTHON-764 Done 2.8, 3.0

 Description   

Server 2.8 will be implementing SCRAM-SHA-1 as a new authentication mechanism. Eventually, it will become the default mechanism in the server and MONGODB-CR will be removed.

As such, all drivers will need to support SCRAM-SHA-1 for the 2.8 release. RFC 5802 describes the mechanism and how it should be implemented.

To support authentication upgrades from older versions of MongoDB to 2.8 drivers will use the following algorithm:

  • If the application specifies a particular authMechanism (e.g. MONGODB-CR) the driver will continue to honor it.
  • If the application provides a user and password, or calls the driver's authenticate method, but provides no explicit authMechanism the following applies:
    • The server's maxWireVersion is being bumped to 3 for MongoDB 2.8 - See SERVER-15330
    • If the server's maxWireVersion >= 3 the driver will use SCRAM-SHA-1 (i.e. the driver's default mechanism is SCRAM-SHA-1)
    • If the server's maxWireVersion < 3 the driver will use MONGODB-CR (i.e. the driver's default mechanism remains MONGODB-CR)

MongoDB 2.8 will always support SCRAM-SHA-1 if at least MONGODB-CR was specified in --authenticationMechanisms, so drivers do not have to "try and fall back". If SCRAM credentials don't yet exist for a user the server will create them on-the-fly when the driver uses SCRAM-SHA-1 for mechanism.

Note - RFC 5802 SCRAM is relatively new (2010). The version of cyrus-sasl that ships with RHEL/CentOS 5/6 and Amazon Linux (2.1.23) does not support SCRAM at all. Drivers can not use cyrus-sasl to implement SCRAM-SHA-1 and will have to write native implementations. If your language runtime or standard library provides an implementation of HMAC and SHA1 this is not difficult following the RFC. See the python driver implementation for one example.


Generated at Thu Feb 08 08:20:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.