[DRIVERS-439] SCRAM-SHA-256 Support Created: 17/Jan/18  Updated: 28/Oct/23  Resolved: 23/Aug/18

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Rathi Gnanasekaran Assignee: Rathi Gnanasekaran
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on CDRIVER-2491 SCRAM-SHA-256 Support Closed
depends on CSHARP-2171 SCRAM-SHA-256 Support Closed
depends on CXX-1509 SCRAM-SHA-256 Support Closed
depends on DRIVERS-444 Implement SASLPrep Closed
depends on GODRIVER-216 SCRAM-SHA-256 Support Closed
depends on JAVA-2771 SCRAM-SHA-256 Support Closed
depends on MOTOR-194 SCRAM-SHA-256 Support Closed
depends on NODE-1311 SCRAM-SHA-256 Support Closed
depends on PHPC-1108 SCRAM-SHA-256 Support Closed
depends on PYTHON-1464 SCRAM-SHA-256 Support Closed
depends on RUBY-1293 SCRAM-SHA-256 Support Closed
depends on RUST-87 SCRAM-SHA-256 Support Closed
Related
Server Compat: 4.0
Start date:
Driver Compliance:
Key Status/Resolution FixVersion
NODE-1311 Fixed 3.1.0
SCALA-375 Fixed 2.4.0
PYTHON-1464 Fixed 3.7
CSHARP-2171 Fixed 2.7.0
PERL-858 Works as Designed
RUBY-1293 Fixed 2.6.0
JAVA-2771 Fixed 3.8.0
CXX-1509 Fixed 3.4.0
PHPC-1108 Fixed 1.5.0
MOTOR-194 Fixed 2.0
GODRIVER-216 Fixed 0.0.12
CDRIVER-2491 Fixed 1.11.0
RUST-87 Fixed 0.9.0-alpha
SWIFT-441 Done

 Description   

Update 2018-03-01: the updated auth spec is now available. Testing will require a master nightly server release (or waiting for 3.7.3).

Original:

The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:

 This is a simple example of a SCRAM-SHA-256 authentication exchange... The username
   'user' and password 'pencil' are being used
 
   C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO
 
   S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
 
   C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=
 
   S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=

In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see DRIVERS-444), all drivers should take steps now to ensure their SCRAM libraries are capable of operating in SHA-256 mode, using the sample conversation for verification. (You'll need for force the client nonce to be "rOprNGfwEbeRWgbNEkqO" for the test conversation to work.)

Drivers should validate when they have an RFC-7677 compliant SCRAM-SHA-256 implementation. An additional drivers ticket will be opened for Auth Spec changes based on the server's actual implementation.

As of MongoDB 3.7.3 it is possible to create SCRAM-SHA-256 users for testing and development:

MongoDB Enterprise > db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )
{ "featureCompatibilityVersion" : { "version" : "3.6" }, "ok" : 1 }
MongoDB Enterprise > db.adminCommand( { setFeatureCompatibilityVersion: "4.0" } )
{ "ok" : 1 }
MongoDB Enterprise > db.createUser({user: 'foo', pwd: 'bar', roles: ['root'], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']})
Successfully added user: {
	"user" : "foo",
	"roles" : [
		"root"
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}
MongoDB Enterprise > db.system.users.find().pretty()
{
	"_id" : "admin.foo",
	"user" : "foo",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "/F0KadCJa77F/zdIjz7zRQ==",
			"storedKey" : "2I0MCswchy/1V9Z6lWIzt9NXYA4=",
			"serverKey" : "hl59xG+Us9udS/dR2N60Rh66zKA="
		},
		"SCRAM-SHA-256" : {
			"iterationCount" : 15000,
			"salt" : "PrVrIA6rsotQQkrytZ1nkN6ZGX2AZXm7FpQzMg==",
			"storedKey" : "vgoknTccjZtSnhUcjbgxG4wP4CjPEstQIFKehH/2zS4=",
			"serverKey" : "p85+pVuVb2yKlOgNF9Q+we0yp5xmPjJo9/oI5EA+WT8="
		}
	},
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}

The server has to be in 4.0 feature compatibility mode for SCRAM-SHA-256 credentials to be created. See SERVER-32974 for more details.

------------------

Update 2/22 - The default FCV is now 4.0 in MongoDB master, enabling SCRAM-SHA-256 support by default.



 Comments   
Comment by Githook User [ 17/Apr/18 ]

Author:

{'name': 'Ross Lawley', 'email': 'ross.lawley@gmail.com', 'username': 'rozza'}

Message: Clarified defaults for auth mechanisms

Normalized the test cases
Added yml file
Added SCRAM-SHA-256 test
Fixed PLAIN authSource requirements

SPEC-1042 SPEC-818 DRIVERS-410 DRIVERS-439
Branch: master
https://github.com/mongodb/specifications/commit/afa46038ccf26af5e4ee2dfde031b57686ddea71

Generated at Thu Feb 08 08:21:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.