[DRIVERS-707] Support shorter SCRAM conversation Created: 06/Aug/19  Updated: 28/Oct/23  Resolved: 23/Sep/20

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Epic Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on GODRIVER-1390 Support shorter SCRAM conversation Closed
depends on JAVA-3491 Support shorter SCRAM conversation Closed
depends on CDRIVER-3418 Support shorter SCRAM conversation Closed
depends on CSHARP-2833 Support shorter SCRAM conversation Closed
depends on CXX-1867 Support shorter SCRAM conversation Closed
depends on MOTOR-448 Support shorter SCRAM conversation Closed
depends on NODE-2301 Support shorter SCRAM conversation Closed
depends on PYTHON-2029 Support shorter SCRAM conversation Closed
depends on RUST-366 Support shorter SCRAM conversation Closed
depends on PHPC-1478 Support shorter SCRAM conversation Closed
depends on RUBY-1994 Support shorter SCRAM conversation Closed
Server Compat: 4.4
Quarter: FY20Q3
Driver Compliance:
Key Status/Resolution FixVersion
GODRIVER-1390 Fixed 1.4.0
RUBY-1994 Fixed 2.13.0.beta1
JAVA-3491 Fixed 4.1.0
CDRIVER-3418 Fixed 1.17.0-beta, 1.17.0
CSHARP-2833 Fixed 2.11.0
CXX-1867 Gone away
PYTHON-2029 Fixed 3.11
NODE-2301 Fixed 3.6.0
MOTOR-448 Works as Designed
PHPC-1478 Fixed 1.8.0-beta1, 1.8.0
RUST-366 Fixed 1.2.0
SWIFT-791 Fixed 1.1.0

 Description   
Epic Summary

 

Summary

This project will shorten the SCRAM conversation between client and server. The SCRAM handshake involves the following steps:

  1. The client advertises the name of the user it wishes to authenticate as.
  2. The server replies with user-specific mechanism parameters
  3. The client sends a proof of knowledge derived from the parameters and the password.
  4. The server replies with a proof that it knew the password.
  5. The client sends an empty message.
  6. The server replies with an empty message, along with the

    {done: true}

    flag.

We will remove steps 5 and 6, and the server will advertise

{done: true}

in step 4.

Clients can opt into the shorter SCRAM conversation with the following saslStart command:

{
  saslStart: 1,
  mechanism: 'SCRAM-SHA-256',
  options: { skipEmptyExchange: true },
  payload: '...',
}

Note that older server versions will ignore the options, so no wire version check is required. The options can be sent to all server versions. Older server versions will just continue to use the longer SASL conversations, so clients needing to authenticate to pre-4.4 servers have to be able to handle both types of exchanges. 

Documentation

Relevant spec change


Generated at Thu Feb 08 08:22:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.