To be honest, I'm not sure what can and cannot be done in auth code. I took inspiration from the existing SSPI code and nearly every error check in pg_SSPI_recvauth() ends up doing ereport(ERROR) already, directly or via pg_SSPI_error(). If this could cause serious trouble, someone would have noticed yet.
I think the problem is whether the report is sent to the client or not, but I may be confusing with something else (COMMERROR reports?).
What *could* happen, anyway? Can ereport(ERROR) in a backend make the postmaster panic badly enough to force a shared memory reset?
Probably not, since it's running in a backend already at that point, not in postmaster.
It seems like this patch should be set "ready for committer". Can one of the reviewers do that if appropriate?
I'll pick it up to do that as well as committing it.