>> However it does lack any way to support indicating to the server
>> which
>> credential will be used, other than perhaps by implication from the SASL
>> mechanism.
>>
>>
>That's not the purview of a SASL profile. If a SASL mechanism supports
>multiple credentials, that's entirely encapsulated within that mechanism.
Except that it is not. For example all of the SCRAM-SASL-* profiles can
easily support authentication with any of the passwords on an account, but
they need to know in advance which one is being used. So SASL mechanism is
insufficient for selecting credential by itself.
The same goes for the HT-* token mechanisms.
Yes, I mean, the SASL profile itself doesn't do anything there.
If you want to indicate a particular credential, you could use the authentication identifier to select which, and the authorization identifier might remain the same. Or a mechanism might support multiple credentials.
But the SASL profile isn't involved here.