How to validate a plain password (clear text) against credentials ("SCRAM-SHA-1" type)

Ops and Admin Enterprise Tools
1

Here is my use case:

I would like to fetch a user’s password from a secret manager service and check that password against the MongoDB user’s password. when the password is not matching, I should update it on the MongoDB side.
I ran the below query which gives the credentials response

MainRepSet:PRIMARY> db.getUser("ingestion_user", {
...      showCredentials: true
... });
{
	"_id" : "admin.inge_user",
	"userId" : UUID("2202a545-f284-48c3-a185-58a7fd355c3c"),
	"user" : "ingestion_user",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "salt1",
			"storedKey" : " storedkey11dummy",
			"serverKey" : " serverKey2somedummy"
		}
	},
	"roles" : [
		{
			"role" : "readWrite",
			"db" : "ads"
		}
	],
	"mechanisms" : [
		"SCRAM-SHA-1"
	]
}

without using a connection to the respective user, how can I validate my plain password against the above credentials payload, salt, storedKey, server key? I would like to validate the logic using Golang.
Please, let me know if there is any algorithm for how the plain password can be validated.

3

Hey :wave: @ganesh_rs,

Welcome to the MongoDB Community!

Based on the details you’ve shared I think that you’re looking for a way to compare a plaintext password stored in some system against the SCRAM-SHA-1 password hash stored in MongoDB. Is this correct?

It’s important to note two things:

  • One is that storing or sending passwords in clear text is highly insecure, and thus this is why modern systems do not do this.
  • Second is that the SCRAM method authenticates both client and server to each other (see MongoDB Developer Data Platform With Strong Security Capabilities | MongoDB for more details) and it’s not possible to recover the user’s plaintext password using the stored credentials in the server.

Further, if you need to implement federated login functionality, it is best to leverage established protocols like Kerberos. These protocols provide secure authentication and single sign-on capabilities.

However, feel free to reach out, in case you have any further questions.

Regards,
Kushagra