On 11/08/17 03:57, Peter Eisentraut wrote:
The SCRAM protocol documentation

"To avoid confusion, the client should use pg_same_as_startup_message as
the username in the client-first-message."

However, the client implementation in libpq doesn't actually do that, it
sends an empty string for the user name.  I find no other reference to
"pg_same_as_startup_message" in the sources.  Should the documentation
be updated?

Relatedly, the SCRAM specification doesn't appear to allow omitting the
user name in this manner.  Why don't we just send the actual user name,
even though it's redundant with the startup message?

    Hi Peter.

You are absolutely right, I was also surprised by this when I was doing the JDBC implementation. Actually I chose to send an asterisk ("*"), see https://github.com/pgjdbc/pgjdbc/pull/842/files#diff-c52128420a3882543ffa20a48964abe4R88, as it is shorter than the username (likely).

I don't like the empty string either, and actually the library built for the JDBC and used in pgjdbc does explicitly disallow the use of an empty username.

If there's a clear meaning about ignoring the user here, why not settle on something like the "*"? It's not going to change the world sending a few bytes less on initialization, but I guess it doesn't hurt either...



Álvaro Hernández Tortosa


Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to