need help with implementing auth scram-sha-1
224 views
Skip to first unread message
Valery Tikhonov
Mar 30, 2015, 7:37:36 AM3/30/15
to mongo...@googlegroups.com
I am trying to implement new authorization algorithm SCRAM-AUTH-1 in mongodb-erlang driver.
I implemented first two step, but always get
{code,18,errmsg, <<"Authentication failed.">>}
I scan traffic and compare packets, sent from mongo-java-driver, which passes authentication and my driver.
I investigated, that if I send first step auth packet without base64 encoding - I got error immediately. And when I encode ClientMessage in request - I pass to other step (but fail it later).
Here are the screens:
First screen is from mongo-java driver, which is proper and according to protocol with first byte "n".
Second screen is from erlang driver, which should be proper, as it send payload as described in reference. The only difference I can see is in "%" symbol, which comes after "payload". In mongo-java driver there is "$" instead.
On the third screen I encoded palyload in base64 - so I think that it does not match protocol (we need "n,,..."). But it passes and gives me data for second step. I recheck data - nonce from the second step really starts with nonce from the third step.
So - my first question is - is database server accepts base64 payload requests?
I think, that I make a mistake in the second step algorithm. But I can't check it, as I can't debug original mongo-java driver. I clone it's github repo (master, and than 3.0.0-rc1 tag) and run
I implemented first two step, but always get
{code,18,errmsg, <<"Authentication failed.">>}
I scan traffic and compare packets, sent from mongo-java-driver, which passes authentication and my driver.
I investigated, that if I send first step auth packet without base64 encoding - I got error immediately. And when I encode ClientMessage in request - I pass to other step (but fail it later).
Here are the screens:
First screen is from mongo-java driver, which is proper and according to protocol with first byte "n".
Second screen is from erlang driver, which should be proper, as it send payload as described in reference. The only difference I can see is in "%" symbol, which comes after "payload". In mongo-java driver there is "$" instead.
On the third screen I encoded palyload in base64 - so I think that it does not match protocol (we need "n,,..."). But it passes and gives me data for second step. I recheck data - nonce from the second step really starts with nonce from the third step.
So - my first question is - is database server accepts base64 payload requests?
I think, that I make a mistake in the second step algorithm. But I can't check it, as I can't debug original mongo-java driver. I clone it's github repo (master, and than 3.0.0-rc1 tag) and run
./gradlew check
But it fails to build driver, so I am not able to debug the difference in my and working algorithms.
The only I could do - download already built jar from maven and run in java project. But I need to add debug code inside driver to see, how it works. (Buildlog is attached to this letter)
My second question is - how to build java driver.
With best regards.
Craig Wilson
Mar 30, 2015, 8:31:29 AM3/30/15
to mongo...@googlegroups.com
Hi Valery,
This might help: https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#scram-sha-1. It contains an example conversation you should be able to follow in your driver to figure out where something is going wrong. Basically, what we did in Java and .NET was to define functions named the same as in the RFC. From there, using the example conversation, we could go step by step and prove each one so we could isolate the issue.
Craig
Valery Tikhonov
Apr 13, 2015, 4:55:17 AM4/13/15
to mongo...@googlegroups.com
Okey, I investigate this article and my algorythms, wrote a test.
I have few more questions, as this article doesn't explain some things.
First of all - Conversation part - where example conversation is.
I made a test, based on this conversation. But I had the difference with this document:
On client's second reply I had
"c=biws,r=fyko+d2lbbFgONRv9qkxdawLHo+Vgk7qvUOKUwuWLIWg4l/9SraGMHEE,p=p9U2M7VmRe491rSaPiWS2jnp/r0=" instead of
"c=biws,r=fyko+d2lbbFgONRv9qkxdawLHo+Vgk7qvUOKUwuWLIWg4l/9SraGMHEE"
"c=biws,r=fyko+d2lbbFgONRv9qkxdawLHo+Vgk7qvUOKUwuWLIWg4l/9SraGMHEE"
In this doc proof missing. I think there is a mistake in this article, as I found proof in your java driver (ScramSha1Authenticator, L 183).
--
You received this message because you are subscribed to a topic in the Google Groups "mongodb-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mongodb-dev/hvnEcSHO8Zk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mongodb-dev...@googlegroups.com.
To post to this group, send email to mongo...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-dev.
For more options, visit https://groups.google.com/d/optout.
Craig Wilson
Apr 15, 2015, 4:29:01 PM4/15/15
to mongo...@googlegroups.com
Yes, it appears as though the example conversation does not match up with the example sasl one below it. I've made that correction. However, the value you are finding doesn't match what is in the spec, nor what is in the tests for the java or .NET drivers. The correct value is this:
c=biws,r=fyko+d2lbbFgONRv9qkxdawLHo+Vgk7qvUOKUwuWLIWg4l/9SraGMHEE,p=MC2T8BvbmWRckDw8oWl5IVghwCY=
Thanks for spotting that and my apologies for the mistake.
Valery Tikhonov
Apr 16, 2015, 9:49:27 AM4/16/15
to mongo...@googlegroups.com
Thanks!
After you add valid proof I found and fix mistake in my algorythms. They are now correct and I am able to pass authentification!Reply all
Reply to author
Forward
0 new messages