Server 2.8 will be implementing SCRAM-SHA-1 as a new authentication mechanism. Eventually, it will become the default mechanism in the server and MONGODB-CR will be removed.

As such, all drivers will need to support SCRAM-SHA-1 for the 2.8 release. RFC 5802 describes the mechanism and how it should be implemented.

To support authentication upgrades from older versions of MongoDB to 2.8 drivers will use the following algorithm:

• If the application specifies a particular authMechanism (e.g. MONGODB-CR) the driver will continue to honor it.
• If the application provides a user and password, or calls the driver's authenticate method, but provides no explicit authMechanism the following applies:
  • The server's maxWireVersion is being bumped to 3 for MongoDB 2.8 - See SERVER-15330
  • If the server's maxWireVersion >= 3 the driver will use SCRAM-SHA-1 (i.e. the driver's default mechanism is SCRAM-SHA-1)
  • If the server's maxWireVersion < 3 the driver will use MONGODB-CR (i.e. the driver's default mechanism remains MONGODB-CR)

MongoDB 2.8 will always support SCRAM-SHA-1 if at least MONGODB-CR was specified in --authenticationMechanisms, so drivers do not have to "try and fall back". If SCRAM credentials don't yet exist for a user the server will create them on-the-fly when the driver uses SCRAM-SHA-1 for mechanism.

Note - RFC 5802 SCRAM is relatively new (2010). The version of cyrus-sasl that ships with RHEL/CentOS 5/6 and Amazon Linux (2.1.23) does not support SCRAM at all. Drivers can not use cyrus-sasl to implement SCRAM-SHA-1 and will have to write native implementations. If your language runtime or standard library provides an implementation of HMAC and SHA1 this is not difficult following the RFC. See the python driver implementation for one example.