SCRAM Authentication

WAMP-SCRAM is a WAMP-level authentication mechanism which uses SCRAM (Salted Challenge Response Authentication Mechanism). This is based on RFC 5802 which standardizes SCRAM.

NOTE this authentication method is still under specification and development; see wamp-proto issue 135.

SCRAM uses a slow “key derivation function” (KDF) to hash a secret known only to the client; Crossbar only ever sees secret data derived from this secret. This means that even if the entire credential database was stolen from the Crossbar server, an attacker still doesn’t learn the actual client secret (that is, their password). SCRAM also includes a step where the client verifies the server.

The process of deriving and sharing the secret data with the server (“user registration”) is not specified and that is currently up to application developers.

The draft WAMP specification includes Argon2id and PBKDF2 as possible KDFs and uses SHA256 as the hash function (for operations that require hashing). We do not yet support channel-binding. We recommend using Argon2id.

We currently have Autobahn|Python implementated and have an example of its use in the Autobahn|Python repository.