Upgrading to MySQL 8.0 : Default Authentication Plugin Considerations

If you are upgrading your server to MySQL 8.0 and observe that your application is experiencing error related caching_sha2_password plugin, it is likely because your clients/connectors does not (yet) support caching_sha2_password plugin. To resolve this issue, you may consider using mysql_native_password as default authentication for MySQL 8.0 server. Add following entry in MySQL configuration file.

This way, once server is restarted, your existing applications should be able to connect to the server without any issues.

Here is the list of connectors that have caching_sha2_password support.

At the time of writing this post, following connectors do not have support for caching_sha2_password.

Please note that this list is not exhaustive.

Let us know if you still have problems after the upgrade.

However, you should actively consider to switch to caching_sha2_password as the default choice for authentication (and authentication plugin for your existing user accounts) because it provides better security. So, check with your Connector provider for updates on the support for caching_sha2_password.

The longer version!

MySQL 8.0 supports a new authentication plugin – caching_sha2_password. This plugin is also the new default value for –default-authentication-plugin system variable that governs two things:

  1. Authentication plugin used by a new user account if a plugin is not specified explicitly through CREATE USER statement
  2. Initial authentication data payload generated by server in case of a new connection.

When a client tries to establish a new connection to MySQL server, server passes information about its default authentication plugin to client.

Clients/Connectors like libmysqlclient do not rely on server’s default authentication plugin for sending initial authentication data. They have their own way of determining default authentication plugin. This is done by checking MYSQL_DEFAULT_AUTH value (It can be set through mysql_options() and choosing the authentication plugin accordingly. For example, in case of 5.7 libmysqlclient, default value for MYSQL_DEFAULT_AUTH is mysql_native_password. Hence, when a 5.7 libmysqlclient is used to connect to MySQL 8.0, it will always use mysql_native_password to send first authentication data to server. This is regardless of server’s default authentication plugin value. So, if your applications uses such clients/connectors, you should not face any difficultly when you upgrade from MySQL 5.7 to MySQL 8.0 for existing user accounts.

However, there are clients/connectors that use server’s default authentication value to determine the format in which authentication data is to be sent to server. If such clients do not have support for new default – caching_sha2_password (AND if they do not have support to specify authentication plugin to be used regardless of server’s value), they are likely to fail with an error that essentially says that client does not know any plugin named caching_sha2_password. If your applications are using such clients/connectors, they will have issues connecting to MySQL 8.0 server after the upgrade. In such cases, unless clients/connectors starts supporting caching_sha2_password or changes behavior and stops relying on server’s default, they can not connect to a MySQL 8.0 server that use caching_sha2_password as default. Hence, till the time such clients/connectors are updated, –default-authentication-plugin for MySQL 8.0 server should be set to a value that’s compatible with them.

The new default – caching_sha2_password provides better security and one should consider using it for user accounts at the earliest opportunity possible. Here is the list of clients/connectors that supports caching_sha2_password. Please read one of the previous posts about caching_sha2_password for more details.

Also see notes on caching_sha2_password in our documentation page about – Upgrading MySQL. It covers various scenarios and provides very useful information about resolving possible issues.

As always, a big thank you for using MySQL!

2 thoughts on “Upgrading to MySQL 8.0 : Default Authentication Plugin Considerations

Leave a Reply