Re: [HACKERS] SCRAM protocol documentation

On 11/08/17 03:57, Peter Eisentraut wrote:
> The SCRAM protocol documentation
> (https://www.postgresql.org/docs/devel/static/sasl-authentication.html)
> states
>
> "To avoid confusion, the client should use pg_same_as_startup_message as
> the username in the client-first-message."
>
> However, the client implementation in libpq doesn't actually do that, it
> sends an empty string for the user name.  I find no other reference to
> "pg_same_as_startup_message" in the sources.  Should the documentation
> be updated?
>
> Relatedly, the SCRAM specification doesn't appear to allow omitting the
> user name in this manner.  Why don't we just send the actual user name,
> even though it's redundant with the startup message?
>
    Hi Peter.
    You are absolutely right, I was also surprised by this when I was 
doing the JDBC implementation. Actually I chose to send an asterisk 
("*"), see 
https://github.com/pgjdbc/pgjdbc/pull/842/files#diff-c52128420a3882543ffa20a48964abe4R88, 
as it is shorter than the username (likely).
    I don't like the empty string either, and actually the library 
built for the JDBC and used in pgjdbc does explicitly disallow the use 
of an empty username.
    If there's a clear meaning about ignoring the user here, why not 
settle on something like the "*"? It's not going to change the world 
sending a few bytes less on initialization, but I guess it doesn't hurt 
either...

    Álvaro

-- 

Álvaro Hernández Tortosa


-----------
<8K>data