No, you cannot connect to MongoDB using SCRAM-SHA-256 authentication for a user that was explicitly created with only the SCRAM-SHA-1 mechanism (i.e., specifying mechanisms: ["SCRAM-SHA-1"] in db.createUser()).
Here's why:
- When creating a user, the
mechanismsfield determines which SCRAM variants' credentials are stored for that user. SCRAM-SHA-1 and SCRAM-SHA-256 are distinct: the former uses SHA-1 hashing, while the latter uses SHA-256 and requires server-side password digestion (passwordDigestor: "server"). - If only SCRAM-SHA-1 is specified, the server stores only the corresponding salted password verifier for that mechanism. Attempting SCRAM-SHA-256 authentication will fail because the server lacks the SHA-256 credentials for the user.
- By default (without specifying
mechanisms), MongoDB creates users with both SCRAM-SHA-1 and SCRAM-SHA-256 credentials, allowing clients to authenticate using either. You can also explicitly add both viamechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"].
To enable SCRAM-SHA-256 for an existing SCRAM-SHA-1 user, use db.updateUser() to add the mechanism (this requires knowing the plaintext password to re-derive the SHA-256 verifier). For example:
db.updateUser(
"username",
{
pwd: "password",
mechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"],
passwordDigestor: "server"
}
)
This upgrades the user to support both without disrupting existing SHA-1 connections. Ensure your MongoDB version is 4.0+ and featureCompatibilityVersion is at least 4.0 for SHA-256 support.