SCRAM

Note

Starting in version 4.0, MongoDB removes support for the deprecatedMongoDB Challenge-Response (MONGODB-CR) authentication mechanism.

If your deployment has user credentials stored in MONGODB-CRschema, you must upgrade to SCRAM before you upgrade to version4.0. For information on upgrading to SCRAM, seeUpgrade to SCRAM.

Salted Challenge Response Authentication Mechanism (SCRAM) is thedefault authentication mechanism for MongoDB. SCRAM is based on theIETF RFC 5802 standard thatdefines best practices for implementation of challenge-responsemechanisms for authenticating users with passwords.

Using SCRAM, MongoDB verifies the supplied user credentials against theuser’s name, password and authentication database. The authentication database is the databasewhere the user was created, and together with the user’s name, servesto identify the user.

Features

MongoDB’s implementation of SCRAM provides:

• A tunable work factor (i.e. the iteration count),
• Per-user random salts, and
• Authentication of the server to the client as well as the client to theserver.

SCRAM Mechanisms

MongoDB supports the following SCRAM mechanisms:

When creating or updating a SCRAM user, you can indicate the specificSCRAM mechanism as well as indicate whether the server or the clientdigests the password. When using SCRAM-SHA-256, MongoDB requiresserver-side password hashing, i.e. the server digests the password. Fordetails, see db.createUser() and db.updateUser().

Driver Support

To use SCRAM, you must upgrade your driver if your current driverversion does not support SCRAM.

The minimum driver versions that support SCRAM are:

Additional Information

• Blog Post: Improved Password-Based Authentication in MongoDB 3.0: SCRAMExplained (Part 1)
• Blog Post: Improved Password-Based Authentication in MongoDB 3.0: SCRAMExplained (Part 2)