@@ -103,8 +103,8 @@ Userinfo or authentication parameters in connection options MUST NOT be interpre
103103#### Errors
104104
105105Drivers SHOULD raise an error as early as possible when detecting invalid values in a credential. For instance, if a
106- ` mechanism_property ` is specified for [ MONGODB-CR ] ( #mongodb-cr ) , the driver should raise an error indicating that the
107- property does not apply.
106+ ` mechanism_property ` is specified for a mechanism that does not support it , the driver should raise an error indicating
107+ that the property does not apply.
108108
109109Drivers MUST raise an error if any required information for a mechanism is missing. For instance, if a ` username ` is not
110110specified for SCRAM-SHA-256, the driver must raise an error indicating the the property is missing.
@@ -162,8 +162,6 @@ All blocking operations executed as part of the authentication handshake MUST ap
162162
163163#### Mechanism Negotiation via Handshake
164164
165- - Since: 4.0
166-
167165If an application provides a username but does not provide an authentication mechanism, drivers MUST negotiate a
168166mechanism via a ` hello ` or legacy hello command requesting a user's supported SASL mechanisms:
169167
@@ -232,9 +230,6 @@ used when running the authentication spec tests.
232230
233231### Default Authentication Methods
234232
235- - Since: 3.0
236- - Revised: 4.0
237-
238233If the user did not provide a mechanism via the connection string or via code, the following logic describes how to
239234select a default.
240235
@@ -255,98 +250,19 @@ be used as the default, regardless of whether SCRAM-SHA-1 is in the list. Driver
255250mechanism (e.g. PLAIN) as the default.
256251
257252If ` saslSupportedMechs ` is not present in the handshake response for mechanism negotiation, then SCRAM-SHA-1 MUST be
258- used when talking to servers >= 3.0. Prior to server 3.0, MONGODB-CR MUST be used .
253+ used as the default .
259254
260255When a user has specified a mechanism, regardless of the server version, the driver MUST honor this.
261256
262- #### Determining Server Version
263-
264- Drivers SHOULD use the server's wire version ranges to determine the server's version.
265-
266- ### MONGODB-CR
267-
268- - Since: 1.4
269- - Deprecated: 3.0
270- - Removed: 4.0
271-
272- MongoDB Challenge Response is a nonce and MD5 based system. The driver sends a ` getnonce ` command, encodes and hashes
273- the password using the returned nonce, and then sends an ` authenticate ` command.
274-
275- #### Conversation
276-
277- 1 . Send ` getnonce ` command
278-
279- ``` javascript
280- CMD = { getnonce: 1 }
281- RESP = { nonce: < nonce> }
282- ```
283-
284- 2. Compute key
285-
286- ` ` ` javascript
287- passwordDigest = HEX( MD5( UTF8( username + ':mongo:' + password )))
288- key = HEX( MD5( UTF8( nonce + username + passwordDigest )))
289- ` ` `
290-
291- 3. Send ` authenticate` command
292-
293- ` ` ` javascript
294- CMD = { authenticate: 1, nonce: nonce, user: username, key: key }
295- ` ` `
296-
297- As an example, given a username of " user" and a password of " pencil" , the conversation would appear as follows:
298-
299- ` ` ` javascript
300- CMD = {getnonce : 1}
301- RESP = {nonce: "2375531c32080ae8", ok: 1}
302- CMD = {authenticate: 1, user: "user", nonce: "2375531c32080ae8", key: "21742f26431831d5cfca035a08c5bdf6"}
303- RESP = {ok: 1}
304- ` ` `
305-
306- #### [MongoCredential](#mongocredential) Properties
307-
308- - username
309-
310- MUST be specified and non- zero length.
311-
312- - source
313-
314- MUST be specified . Defaults to the database name if supplied on the connection string or ` admin` .
315-
316- - password
317-
318- MUST be specified.
319-
320- - mechanism
321-
322- MUST be " MONGODB-CR"
323-
324- - mechanism_properties
325-
326- MUST NOT be specified.
327-
328257### MONGODB-X509
329258
330- - Since: 2.6
331- - Changed: 3.4
332-
333259MONGODB-X509 is the usage of X.509 certificates to validate a client where the distinguished subject name of the client
334260certificate acts as the username.
335261
336- When connected to MongoDB 3.4 :
337-
338262- You MUST NOT raise an error when the application only provides an X.509 certificate and no username.
339263- If the application does not provide a username you MUST NOT send a username to the server.
340264- If the application provides a username you MUST send that username to the server.
341265
342- When connected to MongoDB 3.2 or earlier:
343-
344- - You MUST send a username to the server.
345- - If no username is provided by the application, you MAY extract the username from the X .509 certificate instead of
346- requiring the application to provide it.
347- - If you choose not to automatically extract the username from the certificate you MUST error when no username is
348- provided by the application.
349-
350266#### Conversation
351267
3522681 . Send ` authenticate ` command (MongoDB 3.4+)
@@ -371,7 +287,7 @@ When connected to MongoDB 3.2 or earlier:
371287
372288- username
373289
374- SHOULD NOT be provided for MongoDB 3.4 + MUST be specified and non - zero length for MongoDB prior to 3.4
290+ SHOULD NOT be provided
375291
376292- source
377293
@@ -393,8 +309,6 @@ TODO: Errors
393309
394310### SASL Mechanisms
395311
396- - Since: 2.4 Enterprise
397-
398312SASL mechanisms are all implemented using the same sasl commands and interpreted as defined by the
399313[SASL specification RFC 4422](http://tools.ietf.org/html/rfc4422).
400314
@@ -428,12 +342,6 @@ SASL mechanisms are all implemented using the same sasl commands and interpreted
428342
429343### GSSAPI
430344
431- - Since:
432-
433- 2.4 Enterprise
434-
435- 2.6 Enterprise on Windows
436-
437345GSSAPI is kerberos authentication as defined in [RFC 4752](http://tools.ietf.org/html/rfc4752). Microsoft has a
438346proprietary implementation called SSPI which is compatible with both Windows and Linux clients.
439347
@@ -557,8 +465,6 @@ configuration option is set to `false`.
557465
558466### PLAIN
559467
560- - Since: 2.6 Enterprise
561-
562468The PLAIN mechanism, as defined in [RFC 4616 ](http: // tools.ietf.org/html/rfc4616), is used in MongoDB to perform LDAP
563469authentication . It cannot be used to perform any other type of authentication . Since the credentials are stored outside
564470of MongoDB, the ` $external` database must be used for authentication.
@@ -605,8 +511,6 @@ MongoDB supports either of these forms.
605511
606512### SCRAM - SHA - 1
607513
608- - Since: 3.0
609-
610514SCRAM - SHA - 1 is defined in [RFC 5802 ](http: // tools.ietf.org/html/rfc5802).
611515
612516[Page 11 of the RFC ](http: // tools.ietf.org/html/rfc5802#page-11) specifies that user names be prepared with SASLprep,
@@ -691,8 +595,6 @@ RESP = {conversationId: 1, payload: BinData(0,"dj1VTVdlSTI1SkQxeU5ZWlJNcFo0Vkh2a
691595
692596### SCRAM-SHA-256
693597
694- - Since: 4.0
695-
696598SCRAM-SHA-256 extends [RFC 5802](http://tools.ietf.org/html/rfc5802) and is formally defined in
697599[RFC 7677](https://tools.ietf.org/html/rfc7677).
698600
@@ -757,8 +659,6 @@ RESP = {conversationId: 1, payload: BinData(0, "dj02cnJpVFJCaTIzV3BSUi93dHVwK21N
757659
758660### MONGODB - AWS
759661
760- - Since: 4.4
761-
762662MONGODB - AWS authenticates using AWS IAM credentials (an access key ID and a secret access key),
763663[temporary AWS IAM credentials](https: // docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) obtained from
764664an [AWS Security Token Service (STS )](https: // docs.aws.amazon.com/STS/latest/APIReference/Welcome.html)
@@ -1903,19 +1803,18 @@ def reauth(connection):
19031803
19041804- authMechanism
19051805
1906- MONGODB - CR , MONGODB - X509 , GSSAPI , PLAIN , SCRAM - SHA - 1 , SCRAM - SHA - 256 , MONGODB - AWS
1806+ MONGODB - X509 , GSSAPI , PLAIN , SCRAM - SHA - 1 , SCRAM - SHA - 256 , MONGODB - AWS
19071807
1908- Sets the Mechanism property on the MongoCredential . When not set, the default will be one of SCRAM - SHA - 256 ,
1909- SCRAM - SHA - 1 or MONGODB - CR , following the auth spec default mechanism rules.
1808+ Sets the Mechanism property on the MongoCredential . When not set, the default will be SCRAM - SHA - 256 or SCRAM - SHA - 1 ,
1809+ following the auth spec default mechanism rules.
19101810
19111811- authSource
19121812
19131813 Sets the Source property on the MongoCredential.
19141814
19151815For GSSAPI , MONGODB - X509 and MONGODB - AWS authMechanisms the authSource defaults to ` $external` . For PLAIN the authSource
1916- defaults to the database name if supplied on the connection string or ` $external` . For MONGODB - CR , SCRAM - SHA - 1 and
1917- SCRAM - SHA - 256 authMechanisms, the authSource defaults to the database name if supplied on the connection string or
1918- ` admin` .
1816+ defaults to the database name if supplied on the connection string or ` $external` . For SCRAM - SHA - 1 and SCRAM - SHA - 256
1817+ authMechanisms, the authSource defaults to the database name if supplied on the connection string or ` admin` .
19191818
19201819- authMechanismProperties= PROPERTY_NAME : PROPERTY_VALUE ,PROPERTY_NAME2 : PROPERTY_VALUE2
19211820
0 commit comments