Authentication error with MongoDB 8.1/8.2

Bjoern Henke · 2025-11-03 17:39:39

With newer MongoDB versions the authentication fails.

Reason is the following:
Any application that runs the buildInfo command before authenticating is incompatible with MongoDB 8.1.
(https://www.mongodb.com/docs/manual/rel … atibility/)

mORMot calls buildinfo in TMongoClient.AfterOpen before TMongoClient.Auth because Auth needs the correct ServerBuildInfoNumber.

My current idea is to set fServerBuildInfoNumber to at least 8010000 if buildinfo fails with {"ok":0,"errmsg":"Command buildInfo requires authentication","code":13,"codeName":"Unauthorized"}.
Or simply give TMongoClient.Auth an option to force SCRAM-SHA-1 (like ForceMongoDBCR, but with contrary effect).

ab · 2025-11-03 19:28:38

I guess this may not be enough.

We have to fix AfterOpen to not include fServerBuildInfo.
Then we could check hello.maxWireVersion < 3 to force MD5 auth - or just ignore it and expect ForceMongoDBCR for those legacy / deprecated DB.
But then we would need an AfterAuth virtual method to fill fServerBuildInfo.

OR

We could just call AfterOpen() only after auth.

AND/OR

We could use properly the saslSupportedMechs field in hello.

What do you think?

PS: btw I suspect SCRAM-SHA-256 should be added to our client...

Bjoern Henke · 2025-11-04 09:25:50

As a temporary quick workaround I'm currently setting FServerBuildInfoNumber to 8010000 before Auth and moved AfterOpen after Auth. (Of course, this only works because we don't need support for those really old versions.)

I think the best approach would be to separate buildinfo from AfterOpen. In TMongoClient.Open we could call it before or after AfterOpen but in TMongoClient.OpenAuth it must be called after Auth.

Using saslSupportedMechs in hello seems to be the best way to determine the correct mechanics but it seems to need DatabaseName und UserName to be passed.

And support for SCRAM-SHA-256 would be great as it is the default since version 4.0 and admins may tend to disable SCRAM-SHA-1.

ab · 2025-11-04 09:36:10

About SCRAM-SHA-256 support, I guess we could add it with little effort.
https://gist.github.com/synopse/f2612ac … 562df05934

My concern about SCRAM-SHA-256 is that we would need to re-create the user with server-side password digest.
https://gist.github.com/synopse/5a3ea82 … 1f3da583c6

For our client, I guess that we could just adapt to the latest version of MongoDB (8.1) then fallback to the old auth only when needed.

Bjoern Henke · 2025-11-04 09:51:33

ab wrote:

My concern about SCRAM-SHA-256 is that we would need to re-create the user with server-side password digest.
https://gist.github.com/synopse/5a3ea82 … 1f3da583c6

If the user was created without SCRAM-SHA-256 then it needs to be recreated to use it. But if we use saslSupportedMechs in hello it should be possible to automatically choose the highest available (and supported) mechanism for the user. Or just let the user choose the authentication mechanism like MongoDB Compass does.

Last edited by Bjoern Henke (2025-11-04 09:52:03)

ab · 2025-11-04 09:52:55

Can you please create an issue on our github repo for this?

Thanks for the feedback.

mORMot Open Source

#1 2025-11-03 17:39:39

Authentication error with MongoDB 8.1/8.2

#2 2025-11-03 19:28:38

Re: Authentication error with MongoDB 8.1/8.2

#3 2025-11-04 09:25:50

Re: Authentication error with MongoDB 8.1/8.2

#4 2025-11-04 09:36:10

Re: Authentication error with MongoDB 8.1/8.2

#5 2025-11-04 09:51:33

Re: Authentication error with MongoDB 8.1/8.2

#6 2025-11-04 09:52:55

Re: Authentication error with MongoDB 8.1/8.2

Board footer