On 11/08/17 03:57, Peter Eisentraut wrote:
> The SCRAM protocol documentation
> (https://www.postgresql.org/docs/devel/static/sasl-authentication.html)
> states
>
> "To avoid confusion, the client should use pg_same_as_startup_message as
> the username in the client-first-message."
>
> However, the client implementation in libpq doesn't actually do that, it
> sends an empty string for the user name. I find no other reference to
> "pg_same_as_startup_message" in the sources. Should the documentation
> be updated?
>
> Relatedly, the SCRAM specification doesn't appear to allow omitting the
> user name in this manner. Why don't we just send the actual user name,
> even though it's redundant with the startup message?
>
Hi Peter.
You are absolutely right, I was also surprised by this when I was
doing the JDBC implementation. Actually I chose to send an asterisk
("*"), see
https://github.com/pgjdbc/pgjdbc/pull/842/files#diff-c52128420a3882543ffa20a48964abe4R88,
as it is shorter than the username (likely).
I don't like the empty string either, and actually the library
built for the JDBC and used in pgjdbc does explicitly disallow the use
of an empty username.
If there's a clear meaning about ignoring the user here, why not
settle on something like the "*"? It's not going to change the world
sending a few bytes less on initialization, but I guess it doesn't hurt
either...
Álvaro
--
Álvaro Hernández Tortosa
-----------
<8K>data