> I don't > want to escape the authentication flow from inside a SASL mech, though > (it's unusual/invisible to other maintainers, plus it bypasses the > ClientAuthentication_hook).
I tried to figure out if this is fine or not, but isn't it the same as the existing ereport(ERROR, ...) calls everywhere in the sasl/scram code? I didn't see any clear pattern, for example the LDAP code clearly uses ereport(LOG, ...); return STATUS_ERROR; even for internal/configuration errors, while the scram/sasl code uses ereport(ERROR, ...) for those errors.
