class SCRAMAuthenticator

Library: RemotingNG/TCP
Package: TCP
Header: Poco/RemotingNG/TCP/SCRAMAuthenticator.h


This abstract Authenticator implementation provides the SCRAM-SHA-1 (Salted Challenge Response Authentication Mechanism with SHA-1) authentication mechanism.

SCRAM specifies the authentication message exchange between the client and the server. It uses the PBKDF2 algorithm from the Public-Key Cryptography Standards (PKCS) and has the following features:

  • The password is never transmitted in plain text, only a hash of the password is transmitted from client to server.
  • The server does not need to store the passwords in plain text (or encrypted); salted hashes of the passwords are sufficient.
  • The protocol allows for authenticating the client against the server and also authenticating the server against the client.

Since the Remoting framework does not provide user account and password storage, this class must be subclassed and the following methods must be implemented:


Direct Base Classes: Poco::RemotingNG::Authenticator

All Base Classes: Poco::RefCountedObject, Poco::RemotingNG::Authenticator

Member Summary

Member Functions: authenticate, computeClientProof, computeServerSignature, createNonce, digestToBinaryString, digestToHexString, hashForUser, newConversationID, saltForUser

Inherited Functions: authenticate, duplicate, referenceCount, release

Nested Classes

struct Conversation protected


Types Aliases

ConversationCache protected

using ConversationCache = Poco::ExpireCache < Poco::UInt32, Conversation >;


using Ptr = Poco::AutoPtr < SCRAMAuthenticator >;


State protected







Creates the SCRAMAuthenticator.


~SCRAMAuthenticator virtual


Destroys the SCRAMAuthenticator.

Member Functions

authenticate virtual

AuthenticateResult authenticate(
    const Credentials & credentials,
    Poco::UInt32 conversationID

computeClientProof static

static std::string computeClientProof(
    const std::string & username,
    const std::string & clientNonce,
    const std::string & salt,
    int iterations,
    const std::string & saltedPassword,
    const std::string & serverNonce,
    std::string & clientAuthMessage

computeServerSignature static

static std::string computeServerSignature(
    const std::string & saltedPassword,
    const std::string & clientAuthMessage

createNonce static

static std::string createNonce();

digestToBinaryString static

static std::string digestToBinaryString(
    Poco::DigestEngine & engine

digestToHexString static

static std::string digestToHexString(
    Poco::DigestEngine & engine

hashForUser protected virtual

virtual std::string hashForUser(
    const std::string & username
) = 0;

Returns the PBKDF2-hashed password for the given user.

Note that the returned string must contain the raw bytes of the hash, not the hex-encoded or base64-encoded hash.

newConversationID protected

Poco::UInt32 newConversationID();

Generates a new Conversation ID.

saltForUser protected virtual

virtual std::string saltForUser(
    const std::string & username,
    int & iterations
) = 0;

Returns the salt for hashing the given user's password, as well as the number of iterations for the PBKDF2 algorithm.

Returns an empty string if the user does not exist.