Summary
This project will shorten the SCRAM conversation between client and server. The SCRAM handshake involves the following steps:
- The client advertises the name of the user it wishes to authenticate as.
- The server replies with user-specific mechanism parameters
- The client sends a proof of knowledge derived from the parameters and the password.
- The server replies with a proof that it knew the password.
- The client sends an empty message.
- The server replies with an empty message, along with the
{done: true}flag.
We will remove steps 5 and 6, and the server will advertise
{done: true}
in step 4.
Clients can opt into the shorter SCRAM conversation with the following saslStart command:
{
saslStart: 1,
mechanism: 'SCRAM-SHA-256',
options: { skipEmptyExchange: true },
payload: '...',
}
Note that older server versions will ignore the options, so no wire version check is required. The options can be sent to all server versions. Older server versions will just continue to use the longer SASL conversations, so clients needing to authenticate to pre-4.4 servers have to be able to handle both types of exchanges.
Documentation
- depends on
-
GODRIVER-1390 Support shorter SCRAM conversation
-
- Closed
-
-
-
- Closed
-
-
CDRIVER-3418 Support shorter SCRAM conversation
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
PHPC-1478 Support shorter SCRAM conversation
-
- Closed
-
-
-
- Closed
-