On 11/08/17 03:57, Peter Eisentraut wrote:
The SCRAM protocol documentation
(https://www.postgresql.org/docs/devel/static/sasl-authentication.html)
states
"To avoid confusion, the client should use pg_same_as_startup_message as
the username in the client-first-message."
However, the client implementation in libpq doesn't actually do that, it
sends an empty string for the user name. I find no other reference to
"pg_same_as_startup_message" in the sources. Should the documentation
be updated?
Relatedly, the SCRAM specification doesn't appear to allow omitting the
user name in this manner. Why don't we just send the actual user name,
even though it's redundant with the startup message?
Hi Peter.
You are absolutely right, I was also surprised by this when I was
doing the JDBC implementation. Actually I chose to send an asterisk
("*"), see
https://github.com/pgjdbc/pgjdbc/pull/842/files#diff-c52128420a3882543ffa20a48964abe4R88,
as it is shorter than the username (likely).
I don't like the empty string either, and actually the library
built for the JDBC and used in pgjdbc does explicitly disallow the use
of an empty username.
If there's a clear meaning about ignoring the user here, why not
settle on something like the "*"? It's not going to change the world
sending a few bytes less on initialization, but I guess it doesn't hurt
either...
Álvaro
--
Álvaro Hernández Tortosa
-----------
<8K>data
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
