How to validate a plain password (clear text) against credentials ("SCRAM-SHA-1" type)

Ops and Admin Enterprise Tools
1

Here is my use case:

I would like to fetch a user’s password from a secret manager service and check that password against the MongoDB user’s password. when the password is not matching, I should update it on the MongoDB side.
I ran the below query which gives the credentials response

MainRepSet:PRIMARY> db.getUser("ingestion_user", {
...      showCredentials: true
... });
{
	"_id" : "admin.inge_user",
	"userId" : UUID("2202a545-f284-48c3-a185-58a7fd355c3c"),
	"user" : "ingestion_user",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "salt1",
			"storedKey" : " storedkey11dummy",
			"serverKey" : " serverKey2somedummy"
		}
	},
	"roles" : [
		{
			"role" : "readWrite",
			"db" : "ads"
		}
	],
	"mechanisms" : [
		"SCRAM-SHA-1"
	]
}

without using a connection to the respective user, how can I validate my plain password against the above credentials payload, salt, storedKey, server key? I would like to validate the logic using Golang.
Please, let me know if there is any algorithm for how the plain password can be validated.

3

Hey :wave: @ganesh_rs,

Welcome to the MongoDB Community!

Based on the details you’ve shared I think that you’re looking for a way to compare a plaintext password stored in some system against the SCRAM-SHA-1 password hash stored in MongoDB. Is this correct?

It’s important to note two things:

Further, if you need to implement federated login functionality, it is best to leverage established protocols like Kerberos. These protocols provide secure authentication and single sign-on capabilities.

However, feel free to reach out, in case you have any further questions.

Regards,
Kushagra