/ /

/ /

SCRAM

Salted Challenge Response Authentication Mechanism (SCRAM) is the default authentication mechanism for MongoDB.

When a user authenticates themselves, MongoDB uses SCRAM to verify the supplied user credentials against the user's name, password and authentication database.

SCRAM is based on the IETF RFC 5802 standard that defines best practices for the implementation of challenge-response mechanisms for authenticating users with passwords.

Important

You cannot use both SCRAM authentication and another authentication type for the same user.

Features

MongoDB's implementation of SCRAM provides:

A tunable work factor (the iteration count)
Per-user random salts
Bi-directional authentication between server and client

SCRAM Mechanisms

MongoDB supports the following SCRAM mechanisms:

SCRAM Mechanism	Description
`SCRAM-SHA-1`	Uses the SHA-1 hashing function. To modify the iteration count for `SCRAM-SHA-1`, see `scramIterationCount`.
`SCRAM-SHA-256`	Uses the SHA-256 hashing function. To modify the iteration count for `SCRAM-SHA-256`, see `scramSHA256IterationCount`.

When you create or update a SCRAM user, you can indicate:

the SCRAM mechanism to use
whether the server or the client digests the password

When you use SCRAM-SHA-256, MongoDB requires server-side password hashing, which means that the server digests the password. For more information, see db.createUser() and db.updateUser().

Driver Support

The minimum driver versions that support SCRAM are:

Driver Language	Version	Driver Language	Version
C	1.1.0	PHP	1.0
C++	1.0.0	Python	2.8
C#	1.10	Perl	1.0.0
Go	1.0.0	Ruby	1.12
Java	2.13	Rust	1.0.0
Motor	0.4	Scala	2.8.0
Node.js	1.4.29	Swift	1.0.0

Additional Information

If you use SCRAM-SHA-1:

md5 is necessary but is not used for cryptographic purposes, and
if you use FIPS mode, then instead of SCRAM-SHA-1 use:
- SCRAM-SHA-256,
- Kerberos,
- LDAP, or
- X.509

Back

List

Authenticate Clients