Andrew Dunstan <andrew@dunslane.net> writes:
> Tom Lane wrote:
>> Then you get into the problem that it has to work for *all* auth
>> methods, which in general it will not, because the client probably isn't
>> prepared for multiple auth challenges.
> Yes, if we did that we'd probably have to fix libpq to allow for it (and
> any native protocol implementations such as JDBC). Can the wire protocol
> handle it?
Not really --- the problem is what does a client do if faced with an
unanswerable challenge, eg password requested when it has no password.
libpq currently just disconnects. You could maybe kluge it to send back
an empty password or some such, but it'd be better if the protocol had
an explicit "fail" response. In any case, "let's fix all the clients"
isn't very practical --- what of clients running older copies of libpq?
regards, tom lane